Jump to content

Malware Detected by ESET in website


Go to solution Solved by Marcos,

Recommended Posts

How can we find this malware code js/spy.banker.kj in our website,  Is the any way ESET antivirus show the path of the file to have this milieus code. its show only Threat found. This web page contains potentially dangerous content .
Threat : JS/Spy.Banker.KJ trojan
Access to it has been blocked. Your computer is safe. 

image001.png

Link to comment
Share on other sites

Posted (edited)

Is this your website: hxxps://www.globaledulink.co.uk/register/ ?

If it is, here are a few locations where malware is being found:

hxxps://www.globaledulink.co.uk/register/;JS/Spy.Banker.KJ trojan
hxxps://cdn.globaledulink.co.uk/wp-content/themes/wplms-child/assets/plugins/fortawesome/fonts/fa-solid-900.woff2;JS/Spy.Banker.KJ trojan
hxxps://cdn.globaledulink.co.uk/wp-content/themes/wplms-child/assets/plugins/fortawesome/fonts/fa-solid-900.woff;JS/Spy.Banker.KJ trojan
hxxps://cdn.globaledulink.co.uk/wp-content/themes/wplms-child/assets/plugins/fortawesome/fonts/fa-solid-900.ttf;JS/Spy.Banker.KJ trojan

Edited by itman
Link to comment
Share on other sites

How we can unblock the access of the website pages after removing the treat ?  When we refresh the page it shows threat removed in alert but also showing the access has been block in the same alert.

Link to comment
Share on other sites

Here's a detailed report from quttera.com noting your web site is malicious: https://quttera.com/detailed_report/www.globaledulink.co.uk .

Unfortunately and a first, I can't even access the report since Eset blocks it with a JS/Spy.Banker.KJ trojan detection. There is definitely some nasty malware on your web site.

Link to comment
Share on other sites

  • Administrators
  • Solution
4 hours ago, PHP Developer said:

How we can unblock the access of the website pages after removing the treat ?  When we refresh the page it shows threat removed in alert but also showing the access has been block in the same alert.

Make sure that the malicious script is removed from the website and that it's hardened against further exploitation.

Link to comment
Share on other sites

On 5/20/2022 at 3:58 AM, itman said:

Here's a detailed report from quttera.com noting your web site is malicious: https://quttera.com/detailed_report/www.globaledulink.co.uk .

Unfortunately and a first, I can't even access the report since Eset blocks it with a JS/Spy.Banker.KJ trojan detection. There is definitely some nasty malware on your web site.

deleted above mentioned files but now we are unable to even access the report. Then how we can check for the infected files with their path ?

 

Link to comment
Share on other sites

  • Administrators

You were not supposed to delete the files that itman pointed out. Instead you should remove just the malicious javascript from the files.

Link to comment
Share on other sites

1 hour ago, Marcos said:

You were not supposed to delete the files that itman pointed out. Instead you should remove just the malicious javascript from the files.

those mentioned files were .ttf and .woff fonts files and we did not found any "JS/Spy.Banker.KJ" code in any js file. Even checked all js and other files in the websites no file have this "JS/Spy.Banker.KJ". even we scanned our code files from ESET antivirus and uploaded again to the server but still same Threat alert is coming and also report is not accessible.   

Link to comment
Share on other sites

Quttera found malware located per below screen shot. However, it also found 28 files listed in the suspicious category.

Eset_Quttera.thumb.png.261e861aed3cc0450c9aa951cb145dea.png

If you're not capable of cleaning malware from your web site, Quttera will do it for you for a fee. It is not Eset's responsibility to clean malware from your web site.

Link to comment
Share on other sites

17 minutes ago, itman said:

Quttera found malware located per below screen shot. However, it also found 28 files listed in the suspicious category.

Eset_Quttera.thumb.png.261e861aed3cc0450c9aa951cb145dea.png

If you're not capable of cleaning malware from your web site, Quttera will do it for you for a fee. It is not Eset's responsibility to clean malware from your web site.

@Marcos Thanks for your quick response , can you share those 28 files URLs so we can check and clean them 

Link to comment
Share on other sites

2 minutes ago, PHP Developer said:

can you share those 28 files URLs so we can check and clean them 

Exclude the Quttera report URL from Eset's "List of list of addresses excluded from content scan" per the below screen shot. This will enable you to access the report w/o Eset blocking the access:

Eset_Exclude.thumb.png.4d388a023b71a09aa064bc57d00d93ff.png

Link to comment
Share on other sites

@itman still unable to find the malicious script in files and database as well, need to your advise. Above mentioned code is not found anywhere during manual search in files and database. even we have used malcare security plugin and cleaned the site after scanning through this plugin. but still quttera.com showing same report  

Link to comment
Share on other sites

  • Administrators

The following should help you locate the malicious javascript:

if (hr && hr.includes("checkout") && !hr.includes("cart"))

 

Link to comment
Share on other sites

Posted (edited)

I am assuming that Eset is detecting card skimming activities. If that is the case, you might want to review this article: https://www.bleepingcomputer.com/news/security/microsoft-credit-card-stealers-are-getting-much-stealthier/ .

Of note:

Quote

Common characteristics among all payment card skimmers include the presence of base64-encoded strings and the "atob()" JavaScript function on compromised webpages.

Apart from active scanning and detection, website administrators should ensure they're running the latest available version of their content management system (CMS) and plugins.

Notice the "atob" reference followed by Base64 encrypted code within () in what @Marcos posted previously: https://forum.eset.com/topic/32458-malware-detected-by-eset-in-website/?do=findComment&comment=151390

 

Edited by itman
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...