All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
MXroute Hostbill Panel Infected By Trojan ? False Alarm ?
I tried to login to mxroute hostbill (https://accounts.mxroute.com/) but my antivirus (Bitdefender) told me they have to block the page because of malware:
We blocked this dangerous page for your protection: https://accounts.mxroute.com/templates/2019/dist/js/main.min.js Threat name: Trojan.Script.GenericKDZ.14194 Dangerous pages attempt to install software that can harm the device, gather personal information or operate without your consent.
I'm sorry that I had to post this on LET, cause I cannot create ticket to ask for this issue since the support page is also hosted on the same panel.
Is this true or only false positive from BitDefender ?
PS. I also tried to access other hosting provider who use Hostbill (manage.dediserve.com) but no warning / block attempt from BitDefender.
Comments
https://www.virustotal.com/gui/url/ff54255a0dfa0bd551f7f9662e7538e575278a1d09bd6fa911001c9a3c2d4531?nocache=1
Thank you
POV: Mxtoolbox just made an antivirus
Jokes aside, I'm more concerned that your browser cache is polluted by a virus if the file itself passes an independent bitdefender scan.
As for dediserve they appear to be using an older version of the 2019 theme, last updated 04/09/2020: https://manage.dediserve.com/templates/2019/dist/js/main.min.js
Where as I'm running the latest that was updated just a few days ago: https://accounts.mxroute.com/templates/2019/dist/js/main.min.js
You actually have to upload the file, this is the correct analysis:
https://www.virustotal.com/gui/file/702aa6bbece0e3a32de3389a63fb32428e1888ed7256f08d660b6e7e6486329b
@jar
Interesting. I mean it's not a virus though lol
Seems not too uncommon based on Reddit posts about the thread name with BitDefender. Probably just blanket flags anything with a certain string lol... There's a reason many of these antimalware softwares aren't being used anymore by people especially with Windows Defender being as good as it is now.
Ticketed hostbill for it anyway. I mean the older version set off "Bkav Pro" who even knows what that is lol. But the new version triggering more, probably worth a review. False positive is technically an antivirus problem but you don't get a chance to tell someone that if they turn away.
Trojan.script.* is a detection for obfuscated JavaScript code. When the code is executed, it injects a hidden iframe that redirects the user to a malicious site.
The obfuscated JavaScript code is typically found on compromised web sites, buried within legitimate HTML and JavaScript code in order to remain undetected. The malicious JavaScript is obfuscated to prevent easy analysis of the source code and to avoid detection.
If the user visits a web page containing the malicious JavaScript and the browser is set to automatically run such code, it will try to inject a hidden iframe; the height and width of the iframe is set to 0 in order to hide it from the user's view. The iframe will redirect to user to an unsolicited, malicious web page, which may host various types of web-based attacks, such as exploits.
An example of the de-obfuscated malicious JavaScript code:
tl:dr
False positive.
This is the reason I always disable bitdefender web attack protection.
It's cancer and blocks half of the internet.
And for extra good measure on that part, just because it's beneficial to dot all of my i's and cross all of my t's, I can confirm that main.min.js was replaced on August 29th at 21:15:14 server time as a result of an action that I took:
The IP being the result of the use of iCloud's Private Relay on my Mac Mini. I was about halfway through a sugar free red bull, because I don't want to get fatter.
You know people are going to ask whether you got the red bull free in exchange for hiding the trojan in the script!
4 pack is bare minimum to start negotiations like that though
But you still wanted the wings.
Got it.