PHP Developer 0 Posted May 19, 2022 Share Posted May 19, 2022 How can we find this malware code js/spy.banker.kj in our website, Is the any way ESET antivirus show the path of the file to have this milieus code. its show only Threat found. This web page contains potentially dangerous content . Threat : JS/Spy.Banker.KJ trojan Access to it has been blocked. Your computer is safe. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,706 Posted May 19, 2022 Administrators Share Posted May 19, 2022 What is the website where the threat was found? Link to comment Share on other sites More sharing options...
itman 1,541 Posted May 19, 2022 Share Posted May 19, 2022 (edited) Is this your website: hxxps://www.globaledulink.co.uk/register/ ? If it is, here are a few locations where malware is being found: hxxps://www.globaledulink.co.uk/register/;JS/Spy.Banker.KJ trojan hxxps://cdn.globaledulink.co.uk/wp-content/themes/wplms-child/assets/plugins/fortawesome/fonts/fa-solid-900.woff2;JS/Spy.Banker.KJ trojan hxxps://cdn.globaledulink.co.uk/wp-content/themes/wplms-child/assets/plugins/fortawesome/fonts/fa-solid-900.woff;JS/Spy.Banker.KJ trojan hxxps://cdn.globaledulink.co.uk/wp-content/themes/wplms-child/assets/plugins/fortawesome/fonts/fa-solid-900.ttf;JS/Spy.Banker.KJ trojan Edited May 19, 2022 by itman Link to comment Share on other sites More sharing options...
PHP Developer 0 Posted May 19, 2022 Author Share Posted May 19, 2022 How we can unblock the access of the website pages after removing the treat ? When we refresh the page it shows threat removed in alert but also showing the access has been block in the same alert. Link to comment Share on other sites More sharing options...
itman 1,541 Posted May 19, 2022 Share Posted May 19, 2022 Here's a detailed report from quttera.com noting your web site is malicious: https://quttera.com/detailed_report/www.globaledulink.co.uk . Unfortunately and a first, I can't even access the report since Eset blocks it with a JS/Spy.Banker.KJ trojan detection. There is definitely some nasty malware on your web site. Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 4,706 Posted May 20, 2022 Administrators Solution Share Posted May 20, 2022 4 hours ago, PHP Developer said: How we can unblock the access of the website pages after removing the treat ? When we refresh the page it shows threat removed in alert but also showing the access has been block in the same alert. Make sure that the malicious script is removed from the website and that it's hardened against further exploitation. Link to comment Share on other sites More sharing options...
PHP Developer 0 Posted May 23, 2022 Author Share Posted May 23, 2022 On 5/20/2022 at 3:58 AM, itman said: Here's a detailed report from quttera.com noting your web site is malicious: https://quttera.com/detailed_report/www.globaledulink.co.uk . Unfortunately and a first, I can't even access the report since Eset blocks it with a JS/Spy.Banker.KJ trojan detection. There is definitely some nasty malware on your web site. deleted above mentioned files but now we are unable to even access the report. Then how we can check for the infected files with their path ? Link to comment Share on other sites More sharing options...
Administrators Marcos 4,706 Posted May 23, 2022 Administrators Share Posted May 23, 2022 You were not supposed to delete the files that itman pointed out. Instead you should remove just the malicious javascript from the files. Link to comment Share on other sites More sharing options...
PHP Developer 0 Posted May 23, 2022 Author Share Posted May 23, 2022 1 hour ago, Marcos said: You were not supposed to delete the files that itman pointed out. Instead you should remove just the malicious javascript from the files. those mentioned files were .ttf and .woff fonts files and we did not found any "JS/Spy.Banker.KJ" code in any js file. Even checked all js and other files in the websites no file have this "JS/Spy.Banker.KJ". even we scanned our code files from ESET antivirus and uploaded again to the server but still same Threat alert is coming and also report is not accessible. Link to comment Share on other sites More sharing options...
PHP Developer 0 Posted May 23, 2022 Author Share Posted May 23, 2022 @Marcos need your help to fix this issue. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,706 Posted May 23, 2022 Administrators Share Posted May 23, 2022 Link to comment Share on other sites More sharing options...
itman 1,541 Posted May 23, 2022 Share Posted May 23, 2022 Quttera found malware located per below screen shot. However, it also found 28 files listed in the suspicious category. If you're not capable of cleaning malware from your web site, Quttera will do it for you for a fee. It is not Eset's responsibility to clean malware from your web site. peteyt 1 Link to comment Share on other sites More sharing options...
PHP Developer 0 Posted May 23, 2022 Author Share Posted May 23, 2022 17 minutes ago, itman said: Quttera found malware located per below screen shot. However, it also found 28 files listed in the suspicious category. If you're not capable of cleaning malware from your web site, Quttera will do it for you for a fee. It is not Eset's responsibility to clean malware from your web site. @Marcos Thanks for your quick response , can you share those 28 files URLs so we can check and clean them Link to comment Share on other sites More sharing options...
itman 1,541 Posted May 23, 2022 Share Posted May 23, 2022 2 minutes ago, PHP Developer said: can you share those 28 files URLs so we can check and clean them Exclude the Quttera report URL from Eset's "List of list of addresses excluded from content scan" per the below screen shot. This will enable you to access the report w/o Eset blocking the access: Link to comment Share on other sites More sharing options...
PHP Developer 0 Posted May 23, 2022 Author Share Posted May 23, 2022 @itman thanks for you help now i can see the report to follow the steps you have mentioned above. Link to comment Share on other sites More sharing options...
PHP Developer 0 Posted May 30, 2022 Author Share Posted May 30, 2022 @itman still unable to find the malicious script in files and database as well, need to your advise. Above mentioned code is not found anywhere during manual search in files and database. even we have used malcare security plugin and cleaned the site after scanning through this plugin. but still quttera.com showing same report Link to comment Share on other sites More sharing options...
Administrators Marcos 4,706 Posted May 30, 2022 Administrators Share Posted May 30, 2022 The following should help you locate the malicious javascript: if (hr && hr.includes("checkout") && !hr.includes("cart")) Link to comment Share on other sites More sharing options...
itman 1,541 Posted May 30, 2022 Share Posted May 30, 2022 (edited) I am assuming that Eset is detecting card skimming activities. If that is the case, you might want to review this article: https://www.bleepingcomputer.com/news/security/microsoft-credit-card-stealers-are-getting-much-stealthier/ . Of note: Quote Common characteristics among all payment card skimmers include the presence of base64-encoded strings and the "atob()" JavaScript function on compromised webpages. Apart from active scanning and detection, website administrators should ensure they're running the latest available version of their content management system (CMS) and plugins. Notice the "atob" reference followed by Base64 encrypted code within () in what @Marcos posted previously: https://forum.eset.com/topic/32458-malware-detected-by-eset-in-website/?do=findComment&comment=151390 Edited May 30, 2022 by itman Link to comment Share on other sites More sharing options...
PHP Developer 0 Posted May 31, 2022 Author Share Posted May 31, 2022 @itmanThanks for your help now we are safe as per the latest scanning https://quttera.com/detailed_report/www.globaledulink.co.uk Link to comment Share on other sites More sharing options...
Recommended Posts