Malware Detected by ESET in website

[PHP Developer 0]

How can we find this malware code js/spy.banker.kj in our website,  Is the any way ESET antivirus show the path of the file to have this milieus code. its show only Threat found. This web page contains potentially dangerous content .
Threat : JS/Spy.Banker.KJ trojan
Access to it has been blocked. Your computer is safe. 

[Marcos 4,706]

What is the website where the threat was found?

[itman 1,541]

Is this your website: hxxps://www.globaledulink.co.uk/register/ ?

If it is, here are a few locations where malware is being found:

hxxps://www.globaledulink.co.uk/register/;JS/Spy.Banker.KJ trojan
hxxps://cdn.globaledulink.co.uk/wp-content/themes/wplms-child/assets/plugins/fortawesome/fonts/fa-solid-900.woff2;JS/Spy.Banker.KJ trojan
hxxps://cdn.globaledulink.co.uk/wp-content/themes/wplms-child/assets/plugins/fortawesome/fonts/fa-solid-900.woff;JS/Spy.Banker.KJ trojan
hxxps://cdn.globaledulink.co.uk/wp-content/themes/wplms-child/assets/plugins/fortawesome/fonts/fa-solid-900.ttf;JS/Spy.Banker.KJ trojan

Edited May 19, 2022 by itman

[PHP Developer 0]

How we can unblock the access of the website pages after removing the treat ?  When we refresh the page it shows threat removed in alert but also showing the access has been block in the same alert.

[itman 1,541]

Here's a detailed report from quttera.com noting your web site is malicious: https://quttera.com/detailed_report/www.globaledulink.co.uk .

Unfortunately and a first, I can't even access the report since Eset blocks it with a JS/Spy.Banker.KJ trojan detection. There is definitely some nasty malware on your web site.

[Marcos 4,706]

4 hours ago, PHP Developer said:

How we can unblock the access of the website pages after removing the treat ?  When we refresh the page it shows threat removed in alert but also showing the access has been block in the same alert.

Make sure that the malicious script is removed from the website and that it's hardened against further exploitation.

[PHP Developer 0]

On 5/20/2022 at 3:58 AM, itman said:

Here's a detailed report from quttera.com noting your web site is malicious: https://quttera.com/detailed_report/www.globaledulink.co.uk .

Unfortunately and a first, I can't even access the report since Eset blocks it with a JS/Spy.Banker.KJ trojan detection. There is definitely some nasty malware on your web site.

deleted above mentioned files but now we are unable to even access the report. Then how we can check for the infected files with their path ?

 

[Marcos 4,706]

You were not supposed to delete the files that itman pointed out. Instead you should remove just the malicious javascript from the files.

[PHP Developer 0]

1 hour ago, Marcos said:

You were not supposed to delete the files that itman pointed out. Instead you should remove just the malicious javascript from the files.

those mentioned files were .ttf and .woff fonts files and we did not found any "JS/Spy.Banker.KJ" code in any js file. Even checked all js and other files in the websites no file have this "JS/Spy.Banker.KJ". even we scanned our code files from ESET antivirus and uploaded again to the server but still same Threat alert is coming and also report is not accessible.   

[PHP Developer 0]

@Marcos need your help to fix this issue.

 

[Marcos 4,706]

[itman 1,541]

Quttera found malware located per below screen shot. However, it also found 28 files listed in the suspicious category.

If you're not capable of cleaning malware from your web site, Quttera will do it for you for a fee. It is not Eset's responsibility to clean malware from your web site.

[PHP Developer 0]

17 minutes ago, itman said:

Quttera found malware located per below screen shot. However, it also found 28 files listed in the suspicious category.

If you're not capable of cleaning malware from your web site, Quttera will do it for you for a fee. It is not Eset's responsibility to clean malware from your web site.

@Marcos Thanks for your quick response , can you share those 28 files URLs so we can check and clean them 

[itman 1,541]

2 minutes ago, PHP Developer said:

can you share those 28 files URLs so we can check and clean them 

Exclude the Quttera report URL from Eset's "List of list of addresses excluded from content scan" per the below screen shot. This will enable you to access the report w/o Eset blocking the access:

[PHP Developer 0]

@itman thanks for you help now i can see the report to follow the steps you have mentioned above. 

[PHP Developer 0]

@itman still unable to find the malicious script in files and database as well, need to your advise. Above mentioned code is not found anywhere during manual search in files and database. even we have used malcare security plugin and cleaned the site after scanning through this plugin. but still quttera.com showing same report  

[Marcos 4,706]

The following should help you locate the malicious javascript:

if (hr && hr.includes("checkout") && !hr.includes("cart"))

 

[itman 1,541]

I am assuming that Eset is detecting card skimming activities. If that is the case, you might want to review this article: https://www.bleepingcomputer.com/news/security/microsoft-credit-card-stealers-are-getting-much-stealthier/ .

Of note:

Quote

Common characteristics among all payment card skimmers include the presence of base64-encoded strings and the "atob()" JavaScript function on compromised webpages.

Apart from active scanning and detection, website administrators should ensure they're running the latest available version of their content management system (CMS) and plugins.

Notice the "atob" reference followed by Base64 encrypted code within () in what @Marcos posted previously: https://forum.eset.com/topic/32458-malware-detected-by-eset-in-website/?do=findComment&comment=151390

 

Edited May 30, 2022 by itman

[PHP Developer 0]

@itmanThanks for your help now we are safe as per the latest scanning 

https://quttera.com/detailed_report/www.globaledulink.co.uk