Title: Trojan?
Last modified: August 31, 2016

---

# Trojan?

 *  [alfiotondelli](https://wordpress.org/support/users/alfiotondelli/)
 * (@alfiotondelli)
 * [10 years, 2 months ago](https://wordpress.org/support/topic/trojan-4/)
 * My provider told me that:
 * {CAV}Win.Trojan.Agent-1395005 in quick-pagepost-redirect-plugin/js/qppr_frontend_script.
   min.js
 * What happened?
 * [https://wordpress.org/plugins/quick-pagepost-redirect-plugin/](https://wordpress.org/plugins/quick-pagepost-redirect-plugin/)

Viewing 11 replies - 1 through 11 (of 11 total)

 *  Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/)
 * (@jdembowski)
 * Forum Moderator and Brute Squad
 * [10 years, 2 months ago](https://wordpress.org/support/topic/trojan-4/#post-7289592)
 * Don’t double post, I’ve deleted your other topic.
 * If you mean this file then your provider is mistaken.
 * [https://plugins.trac.wordpress.org/browser/quick-pagepost-redirect-plugin/trunk/js/qppr_frontend_script.js](https://plugins.trac.wordpress.org/browser/quick-pagepost-redirect-plugin/trunk/js/qppr_frontend_script.js)
 * BUT your site may just be compromised and that would explain how that file was
   changed.
 * If so then please remain calm and carefully follow this guide.
 * When you’re done, you may want to implement some (if not all) of the recommended
   security measures.
 *  Thread Starter [alfiotondelli](https://wordpress.org/support/users/alfiotondelli/)
 * (@alfiotondelli)
 * [10 years, 2 months ago](https://wordpress.org/support/topic/trojan-4/#post-7289597)
 * I have downloaded the file from [https://wordpress.org/plugins/quick-pagepost-redirect-plugin/](https://wordpress.org/plugins/quick-pagepost-redirect-plugin/)
 * The file qppr_frontend_script.min.js is in js directory. It is not changed, it
   is in the zip file:
    [https://downloads.wordpress.org/plugin/quick-pagepost-redirect-plugin.5.1.7.zip](https://downloads.wordpress.org/plugin/quick-pagepost-redirect-plugin.5.1.7.zip)
 *  Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/)
 * (@jdembowski)
 * Forum Moderator and Brute Squad
 * [10 years, 2 months ago](https://wordpress.org/support/topic/trojan-4/#post-7289601)
 * If your copy of the file matches this link then it’s a false positive.
 * [https://plugins.trac.wordpress.org/browser/quick-pagepost-redirect-plugin/trunk/js/qppr_frontend_script.js](https://plugins.trac.wordpress.org/browser/quick-pagepost-redirect-plugin/trunk/js/qppr_frontend_script.js)
 *  Thread Starter [alfiotondelli](https://wordpress.org/support/users/alfiotondelli/)
 * (@alfiotondelli)
 * [10 years, 2 months ago](https://wordpress.org/support/topic/trojan-4/#post-7289602)
 * The problem is not: qppr_frontend_script.js
    The problem is: qppr_frontend_script.
   min.js
 * I have those two different files in JS directory in zip file downloaded from:
   
   [https://wordpress.org/plugins/quick-pagepost-redirect-plugin/](https://wordpress.org/plugins/quick-pagepost-redirect-plugin/)
   ZIP: [https://downloads.wordpress.org/plugin/quick-pagepost-redirect-plugin.5.1.7.zip](https://downloads.wordpress.org/plugin/quick-pagepost-redirect-plugin.5.1.7.zip)
 * FILE: qppr_frontend_script.js IS OK
    FILE: qppr_frontend_script.min.js PROVIDER
   TELL ME: Win.Trojan.Agent-1395005
 *  [Don Fischer](https://wordpress.org/support/users/prophecy2040/)
 * (@prophecy2040)
 * [10 years, 2 months ago](https://wordpress.org/support/topic/trojan-4/#post-7289640)
 * alfiotondelli,
    That is a false positive. There is one or two scanners that think
   it contains a virus as the file minification process compacts many of the functions
   into a format that some viruses use.
 * Here are the results of Google Virus Total scan:
    [https://www.virustotal.com/en/file/4d81cd951bc1cc8095a0b6385baa47b9c5fb6fe1440661563a09dbd2f7e243db/analysis/1460835862/](https://www.virustotal.com/en/file/4d81cd951bc1cc8095a0b6385baa47b9c5fb6fe1440661563a09dbd2f7e243db/analysis/1460835862/)
 * As you can see, almost all of them say it is safe and only one or two think it
   may be a trojan (which it is not). To verify, you can look at the file and run
   it through a de-minify process and follow the functions – they perform the same
   functions as the un-minified version – and that is not showing as a virus. So
   it is a false positive (As long as you got it directly from the WordPress repository
   and not some place else.)
 * I will notify the new owner so they can change the minification process on the
   next update to a more scanner friendly version.
 * Regards,
    Don
 *  [scottl31](https://wordpress.org/support/users/scottl31/)
 * (@scottl31)
 * [10 years, 2 months ago](https://wordpress.org/support/topic/trojan-4/#post-7289864)
 * Don,
 * It looks like this file has been like this for a while. Wordfence is flagging
   it. Is this the correct content:
 * _[ Moderator note: code fixed. Please wrap code in the backtick character or 
   [use the code button](http://codex.wordpress.org/Forum_Welcome#Posting_Code).]_
 *     ```
       !function(t){t(document).ready(function(){function e(t,e){return"undefined"!=typeof e[t]?"1":"undefined"!=typeof e[t.replace(a,"")]?"2":"undefined"!=typeof e[t.replace(n,"")]?"3":!1}var r=qpprFrontData.linkData,a=qpprFrontData.siteURL,n=qpprFrontData.siteURLq;t("a[href]").each(function(){var i=t(this),f="undefined"!=typeof t(this).attr("href")?t(this).attr("href"):"",l=e(f,r);if(l!==!1){var o="undefined"!=typeof t(this).attr("rel")?t(this).attr("rel"):"",p=("undefined"!=typeof t(this).attr("target")?t(this).attr("target"):"",!1),h=!1,c="",d=f;if("1"==l?(p=r[f][0],h=r[f][1],c=r[f][2]):"2"==l?(p=r[f.replace(a,"")][0],h=r[f.replace(a,"")][1],c=r[f.replace(a,"")][2],d=f.replace(a,"")):"3"==l&&(p=r[f.replace(n,"")][0],h=r[f.replace(n,"")][1],c=r[f.replace(n,"")][2],d=f.replace(n,"")),p&&""===this.target&&(this.target="_blank"),h&&(""!==o&&"nofollow"!==o?t(this).attr("rel",o+" nofollow"):t(this).attr("rel","nofollow")),""!=c){t(this).attr("href",c);var s=i.html();s=s.replace(d,c),i.html(s)}}})})}(jQuery);
       ```
   
 *  [The Hack Repair Guy](https://wordpress.org/support/users/tvcnet/)
 * (@tvcnet)
 * [10 years, 2 months ago](https://wordpress.org/support/topic/trojan-4/#post-7289865)
 * Very nice summary Don Fischer.
    Wish there was a like link here in WordPress.
   org.
 *  [The Hack Repair Guy](https://wordpress.org/support/users/tvcnet/)
 * (@tvcnet)
 * [10 years, 2 months ago](https://wordpress.org/support/topic/trojan-4/#post-7289866)
 * Yes, is a Wordfence “thing”
    You good. Just a false positive. Hopefully the developer
   of the script will take notice that is stuff is ringing a lot of bells (and not
   the one that gives angels wings…).
 *  [gunderstorm](https://wordpress.org/support/users/gunderstorm/)
 * (@gunderstorm)
 * [10 years, 2 months ago](https://wordpress.org/support/topic/trojan-4/#post-7289870)
 * Thanks for exploring this, guys. Wordfence had me scared.
 *  [DYLdev](https://wordpress.org/support/users/dyldev/)
 * (@dyldev)
 * [10 years, 2 months ago](https://wordpress.org/support/topic/trojan-4/#post-7289878)
 * > I will notify the new owner so they can change the minification process on 
   > the next update to a more scanner friendly version.
 * Is there an ETA on that next update?
 * The false positive was detected 4 or 5 days ago, and now Wordfence is picking
   it up as a malware warning.
 * It would put people more at ease if there was some urgency on the part of the
   plugin owner to get this resolved sooner than later, that updates are still being
   supported.
 * Thanks.
 *  Plugin Author [anadnet](https://wordpress.org/support/users/anadnet/)
 * (@anadnet)
 * [10 years, 2 months ago](https://wordpress.org/support/topic/trojan-4/#post-7289893)
 * Hi Guys,
 * Not a Trojan of course. As Don stated this is just a false positive. I’ve updated
   the file using a different service (version 5.1.8 released), but you can safely
   use all previous versions of the file.[ New file scan ](https://www.virustotal.com/en/file/3fc2845d22c09928ba9dae73f657a21ede05bed89a42efafe1028bcbe4ee499b/analysis/1461530637/)
   doesn’t show false positive.

Viewing 11 replies - 1 through 11 (of 11 total)

The topic ‘Trojan?’ is closed to new replies.

 * ![](https://s.w.org/plugins/geopattern-icon/quick-pagepost-redirect-plugin_8d7b6f.
   svg)
 * [Quick Page/Post Redirect Plugin](https://wordpress.org/plugins/quick-pagepost-redirect-plugin/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/quick-pagepost-redirect-plugin/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/quick-pagepost-redirect-plugin/)
 * [Active Topics](https://wordpress.org/support/plugin/quick-pagepost-redirect-plugin/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/quick-pagepost-redirect-plugin/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/quick-pagepost-redirect-plugin/reviews/)

## Tags

 * [false positive](https://wordpress.org/support/topic-tag/false-positive/)
 * [trojan](https://wordpress.org/support/topic-tag/trojan/)

 * 11 replies
 * 8 participants
 * Last reply from: [anadnet](https://wordpress.org/support/users/anadnet/)
 * Last activity: [10 years, 2 months ago](https://wordpress.org/support/topic/trojan-4/#post-7289893)
 * Status: not resolved