HEUR:Trojan.Script.Generic

[Fendo]

Hello,

I’m getting a false positive on my website (e-commerce) and only at the payment page.
I have sent a message to lab support to validate and verify the issue 2 months ago, and no response from them, That is why I’m posting the issue here.

 

I have also checked the page against other security tools like Sucuri, follow the result:

 

And this is my Kaspersky version, and it is updated:

 

The test made by Kaspersky Threat Intelligence Portal:

 

Thanks for the attention and support!
​​​​​​​

[Flood and Flood's wife]

Hello @Fendo, 

Welcome!

TROJAN.SCRIPT.GENERIC

• ❓ When you say “ I’ve sent a message to lab support to validate and verify the issue 2 months ago, and no response from them “, did you actually raise an incident request? 
• If “no” please do so:  Kaspersky Technical Support, please provide a detailed history, images, they may ask for Traces, captured as the issue is replicated & they may also request a GSI & Windows logs.
• ❓ Ask them to determine if the detection is correct?
• After submitting the case, you’ll receive an automated email with an INC+12digits reference number, then, normally, within 5 business days, a Kaspersky Technical Support human will communicate with you, also by email, you may continue to engage with the Kaspersky Technical Team via email or by updating the INC in your MyKaspersky account.

Thank you🙏

Flood🐳

[Berny]

no response
 

Can you please provide the INC number.

[Flood and Flood's wife]

Hello @Fendo,

Additional to my previous reply, please also check the site certificate(s), as there appears to be an issue. 
SSL Report: loja2.livemind.com.br

Thank you🙏

Flood🐳

[Fendo]

Hello @Fendo, 

Welcome!

TROJAN.SCRIPT.GENERIC

• ❓ When you say “ I’ve sent a message to lab support to validate and verify the issue 2 months ago, and no response from them “, did you actually raise an incident request? 
• If “no” please do so:  Kaspersky Technical Support, please provide a detailed history, images, they may ask for Traces, captured as the issue is replicated & they may also request a GSI & Windows logs.
• ❓ Ask them to determine if the detection is correct?
• After submitting the case, you’ll receive an automated email with an INC+12digits reference number, then, normally, within 5 business days, a Kaspersky Technical Support human will communicate with you, also by email, you may continue to engage with the Kaspersky Technical Team via email or by updating the INC in your MyKaspersky account.

Thank you🙏

Flood🐳

Hi Flood, 

Thanks for the quick reply!
You are right, yesterday after opening this question here I discovered that I could open an Incident inside my account and so I did it.

The request I made a couple of months ago was straight in a kind of “test” webpage from Kaspersky, but I just inserted my e-mail contact, but was not logged inside My Kaspersky.

Now I have created an incident inside my account and the support already answered me with a couple of extra questions. Let’s see.
 

 

[Fendo]

Hello @Fendo,

Additional to my previous reply, please also check the site certificate(s), as there appears to be an issue. 
SSL Report: loja2.livemind.com.br

Thank you🙏

Flood🐳

But loja2 was an transition website. I’m not using loja2 anymore. Now it is loja.livemind.com.br

🤔

Interesting.. I have already deleted this loja2 from server
I will check if anything is left. Not sure how I will do it since this was in the old server.

Where or how did you find this loja2?

Thanks!

 

[Fendo]

no response
 

Can you please provide the INC number.

Sorry Berny, as a matter of fact I have opened a request to verify the issue on that website. But it was not inside my account so it did not generate a INC number. 
At that time I did not know I had this direct support. 

Thanks!

By the way, I now have a INC and support is already answering me.

If you allow this to stay open, I can return and give feedback on the findings of tech support.

[Flood and Flood's wife]

But loja2 was a transition website. I’m not using loja2 anymore. Now it is loja.livemind.com.br 
🤔 Interesting.. I have already deleted this loja2 from server. I will check if anything is left. Not sure how I will do it since this was in the old server. Where or how did you find this loja2?
Thanks!

Hello @Fendo,

You’re most welcome🙂 !

Re “Where or how did you find loja2 ?”

• I may have made a clumsy typing mistake😔 , my apologies; all I have is a screen image from my investigations yesterday as I’ve reset browsers throughout the period working on other “stuff” 

 

• Your topic remains “open” for as long as you wish, when the Technical Team provides feedback, we always appreciate hearing the outcome please?  
• To change the status of a topic from Question to Solved, simply select whichever reply you feel assisted you solve the issue. 

Thank you🙏

Flood🐳

[Fendo]

Re “Where or how did you find loja2 ?”

• I may have made a clumsy typing mistake😔 , my apologies; all I have is a screen image from my investigations yesterday as I’ve reset browsers throughout the period working on other “stuff” 

 

problably not a mistake since when I was transitioning my website to a new server I used the loja2.
We just checked and the loja2 was still on the DNS.. but now removed.

I’m waiting the support team answer. 
I’ll get back with the resolution here. 

Tks!

 

[Fendo]

Just found the issue was a plugin for WooCommerce called Flexible Checkout Fields, that was injecting a malicious code:

 ... eval ... (String.fromCharCode (118,97,114,32,115,99 ...


 

[Removed]

Stay away from them!

 

Thanks for all the support!
God bless you all.

 

[Fendo]

Additional info

https://www.bleepingcomputer.com/news/security/critical-bugs-in-wordpress-plugins-let-hackers-take-over-sites/
 

[Flood and Flood's wife]

Hello @Fendo,

You’re most welcome☺ !

We’re very glad you’ve found the root cause👍, however, posting URLs that may contain malicious code is never a good idea🙁

Thank you🙏

Flood🐳

[Fendo]

however, posting URLs that may contain malicious code is never a good idea🙁

 

You are right!

Thanks for all the attention and support!

[macro]

I was also facing the same with one of the site, but it was not kaspersky specific, the Trojan was on the site server. I contacted the site owner, and they fixed it.