A virus script appears in the cache which is not on the server

Hello! Recently noticed on their site an incomprehensible js script that sends users spam push notifications. For a long time they figured out and it turned out that this file is substituted through the cloudflare cache. type link - https://www.domain.ru/ws.js

there is no 100% ws.js file on the server! After clearing the cache, a 404 error pops up on the link, but after a few seconds of updates this file opens again

If caching is completely turned off, then this file stops opening.

How can this be?

Iā€™m quite sure it does come from your server, but only when a certain User Agent String queries the URL. Often, compromised software is looking for a Google Crawler so it can insert the string into your search results. And if the crawler is the first visitor to hit that URL, that string will be cached for everybody else to see.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.