PHP Developer 0 Posted May 19 Share Posted May 19 How can we find this malware code js/spy.banker.kj in our website, Is the any way ESET antivirus show the path of the file to have this milieus code. its show only Threat found. This web page contains potentially dangerous content . Threat : JS/Spy.Banker.KJ trojan Access to it has been blocked. Your computer is safe. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,233 Posted May 19 Administrators Share Posted May 19 What is the website where the threat was found? Quote Link to comment Share on other sites More sharing options...
itman 1,397 Posted May 19 Share Posted May 19 (edited) Is this your website: hxxps://www.globaledulink.co.uk/register/ ? If it is, here are a few locations where malware is being found: hxxps://www.globaledulink.co.uk/register/;JS/Spy.Banker.KJ trojan hxxps://cdn.globaledulink.co.uk/wp-content/themes/wplms-child/assets/plugins/fortawesome/fonts/fa-solid-900.woff2;JS/Spy.Banker.KJ trojan hxxps://cdn.globaledulink.co.uk/wp-content/themes/wplms-child/assets/plugins/fortawesome/fonts/fa-solid-900.woff;JS/Spy.Banker.KJ trojan hxxps://cdn.globaledulink.co.uk/wp-content/themes/wplms-child/assets/plugins/fortawesome/fonts/fa-solid-900.ttf;JS/Spy.Banker.KJ trojan Edited May 19 by itman Quote Link to comment Share on other sites More sharing options...
PHP Developer 0 Posted May 19 Author Share Posted May 19 How we can unblock the access of the website pages after removing the treat ? When we refresh the page it shows threat removed in alert but also showing the access has been block in the same alert. Quote Link to comment Share on other sites More sharing options...
itman 1,397 Posted May 19 Share Posted May 19 Here's a detailed report from quttera.com noting your web site is malicious: https://quttera.com/detailed_report/www.globaledulink.co.uk . Unfortunately and a first, I can't even access the report since Eset blocks it with a JS/Spy.Banker.KJ trojan detection. There is definitely some nasty malware on your web site. Quote Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 4,233 Posted May 20 Administrators Solution Share Posted May 20 4 hours ago, PHP Developer said: How we can unblock the access of the website pages after removing the treat ? When we refresh the page it shows threat removed in alert but also showing the access has been block in the same alert. Make sure that the malicious script is removed from the website and that it's hardened against further exploitation. Quote Link to comment Share on other sites More sharing options...
PHP Developer 0 Posted May 23 Author Share Posted May 23 On 5/20/2022 at 3:58 AM, itman said: Here's a detailed report from quttera.com noting your web site is malicious: https://quttera.com/detailed_report/www.globaledulink.co.uk . Unfortunately and a first, I can't even access the report since Eset blocks it with a JS/Spy.Banker.KJ trojan detection. There is definitely some nasty malware on your web site. deleted above mentioned files but now we are unable to even access the report. Then how we can check for the infected files with their path ? Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,233 Posted May 23 Administrators Share Posted May 23 You were not supposed to delete the files that itman pointed out. Instead you should remove just the malicious javascript from the files. Quote Link to comment Share on other sites More sharing options...
PHP Developer 0 Posted May 23 Author Share Posted May 23 1 hour ago, Marcos said: You were not supposed to delete the files that itman pointed out. Instead you should remove just the malicious javascript from the files. those mentioned files were .ttf and .woff fonts files and we did not found any "JS/Spy.Banker.KJ" code in any js file. Even checked all js and other files in the websites no file have this "JS/Spy.Banker.KJ". even we scanned our code files from ESET antivirus and uploaded again to the server but still same Threat alert is coming and also report is not accessible. Quote Link to comment Share on other sites More sharing options...
PHP Developer 0 Posted May 23 Author Share Posted May 23 @Marcos need your help to fix this issue. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,233 Posted May 23 Administrators Share Posted May 23 Quote Link to comment Share on other sites More sharing options...
itman 1,397 Posted May 23 Share Posted May 23 Quttera found malware located per below screen shot. However, it also found 28 files listed in the suspicious category. If you're not capable of cleaning malware from your web site, Quttera will do it for you for a fee. It is not Eset's responsibility to clean malware from your web site. peteyt 1 Quote Link to comment Share on other sites More sharing options...
PHP Developer 0 Posted May 23 Author Share Posted May 23 17 minutes ago, itman said: Quttera found malware located per below screen shot. However, it also found 28 files listed in the suspicious category. If you're not capable of cleaning malware from your web site, Quttera will do it for you for a fee. It is not Eset's responsibility to clean malware from your web site. @Marcos Thanks for your quick response , can you share those 28 files URLs so we can check and clean them Quote Link to comment Share on other sites More sharing options...
itman 1,397 Posted May 23 Share Posted May 23 2 minutes ago, PHP Developer said: can you share those 28 files URLs so we can check and clean them Exclude the Quttera report URL from Eset's "List of list of addresses excluded from content scan" per the below screen shot. This will enable you to access the report w/o Eset blocking the access: Quote Link to comment Share on other sites More sharing options...
PHP Developer 0 Posted May 23 Author Share Posted May 23 @itman thanks for you help now i can see the report to follow the steps you have mentioned above. Quote Link to comment Share on other sites More sharing options...
PHP Developer 0 Posted May 30 Author Share Posted May 30 @itman still unable to find the malicious script in files and database as well, need to your advise. Above mentioned code is not found anywhere during manual search in files and database. even we have used malcare security plugin and cleaned the site after scanning through this plugin. but still quttera.com showing same report Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,233 Posted May 30 Administrators Share Posted May 30 The following should help you locate the malicious javascript: if (hr && hr.includes("checkout") && !hr.includes("cart")) Quote Link to comment Share on other sites More sharing options...
itman 1,397 Posted May 30 Share Posted May 30 (edited) I am assuming that Eset is detecting card skimming activities. If that is the case, you might want to review this article: https://www.bleepingcomputer.com/news/security/microsoft-credit-card-stealers-are-getting-much-stealthier/ . Of note: Quote Common characteristics among all payment card skimmers include the presence of base64-encoded strings and the "atob()" JavaScript function on compromised webpages. Apart from active scanning and detection, website administrators should ensure they're running the latest available version of their content management system (CMS) and plugins. Notice the "atob" reference followed by Base64 encrypted code within () in what @Marcos posted previously: https://forum.eset.com/topic/32458-malware-detected-by-eset-in-website/?do=findComment&comment=151390 Edited May 30 by itman Quote Link to comment Share on other sites More sharing options...
PHP Developer 0 Posted May 31 Author Share Posted May 31 @itmanThanks for your help now we are safe as per the latest scanning https://quttera.com/detailed_report/www.globaledulink.co.uk Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.