Help Detecting the Threat: JS/Spy.Banker.KJ trojan

[Ange 0]

Can somebody please have a look for me to help find it? Url is in the screenshot - I don't want to post the URL directly in case Google ranks it!

Can I get a code line number of where the detection was made?

Edited January 9 by Ange
Add information

[Marcos 4,909]

Searching for "parentNode.insertBefore(po, s)" should help you locate the malicious JS.

[Ange 0]

Hey Marcos, 

Okay thank you - that gives me a starting point. This could pertain to a number of code lines in our script.

I'll list them below - can you please let me know what you think could be triggering it? Is it possible that I ESET is triggering a false positive?

Quantcast Tag

</script>
	<!-- Quantcast Tag -->
	<_script type="text/javascript">
	window._qevents = window._qevents || [];
	(function() {
	var elem = document.createElement('script');
	elem.src = (document.location.protocol == "https:" ? "https://secure" : "hxxp://edge") + ".quantserve.com/quant.js";
	elem.async = true;
	elem.type = "text/javascript";
	var scpt = document.getElementsByTagName('script')[0];
	scpt.parentNode.insertBefore(elem, scpt);
	})();
	window._qevents.push({
	qacct:"p-0yt8t04BdHBHy",
	uid:""
	});
	</script>

Facebook Tag

</style> <!-- Facebook Business Extension for Magento 2 -->   <!-- Facebook Pixel Code -->   <_script>   !function(f,b,e,v,n,t,s){if(f.fbq)return;n=f.fbq=function(){n.callMethod?   n.callMethod.apply(n,arguments):n.queue.push(arguments)};if(!f._fbq)f._fbq=n;   n.push=n;n.loaded=!0;n.version='2.0';n.queue=[];t=b.createElement(e);t.async=!0;   t.src=v;s=b.getElementsByTagName(e)[0];s.parentNode.insertBefore(t,s)}(window,   document,'script','//connect.facebook.net/en_US/fbevents.js');   fbq(   'init',   '260325074565775',   {},   {agent: 'magento2-2.4.2-1.2.5' }   );   fbq('track', 'PageView', {   source: "magento2",   version: "2.4.2",   pluginVersion: "1.2.5"   });   </script>   <noscript>   <img height="1" width="1" style="display:none"   src="https://www.facebook.com/tr?id=260325074565775&ev=PageView&noscript=1&a=magento2-2.4.2-1.2.5" />   </noscript>   <!-- End Facebook Pixel Code --> Yotpo Tag   <!-- Yotpo - Widget Script -->   <_script>   (function e(){var e=document.createElement("script");e.type="text/javascript",e.async=true,e.src="//staticw2.yotpo.com/MiYqr6pLo4uM7oXnMnqaO13o5qy27pLQHQp9o9zC/widget.js";var t=document.getElementsByTagName("script")[0];t.parentNode.insertBefore(e,t)})();   </script>

[Marcos 4,909]

[Ange 0]

Hey Marco,

Thank you for locating that! Only after I replied I also found this script.
 

Is this definitely a virus code, or could it be a false positive?

[Marcos 4,909]

It's definitely malicious, the script loads a JS from a website blocked by 2 vendors:

[Ange 0]

Hey Marco,

Wow, thanks so much for your assistance! You are brilliant!

[hegoss 0]

Hello,

Eset system detected on following page: https://nastartujes.cz/order   JS/Spy.Banker.IV  Could you please help me how to localize the source to remove it?

 

Thanks 

[Marcos 4,909]

32 minutes ago, hegoss said:

Eset system detected on following page: https://nastartujes.cz/order   JS/Spy.Banker.IV  Could you please help me how to localize the source to remove it?

Searching for "var _0x5aa5=" should help you locate the malicious JS.

[hegoss 0]

Sorry , but I cannot find it in HTML source code of that page.   Od did you mean somewhere else?

[Marcos 4,909]

It may be in an encrypted form on the server, in the CMS db, etc. See https://forum.eset.com/topic/35686-threat-jsspybankerkt-trojan:

Where did you eventually find it?
Entry file app.php , mage.php.

[hegoss 0]

Hello eset tema again. Could you please confirm that var _0x5aa5  is correct sequence? We download whole website, searched entire website, database, but there is no such sequence, nor app.php or mage.php file.

https://nastartujes.cz/order is the url whe trojan horse is detected

 

Thank you

 

[Marcos 4,909]

1 hour ago, hegoss said:

https://nastartujes.cz/order is the url whe trojan horse is detected

A malicious JavaScript is there:

[hegoss 0]

Thanks, but how to find it?

[hegoss 0]

I found it finally. I was in classes directory

[eddi 0]

Hello, a customer send an info, that this shop has the same problem. Dear eset-team, do you have a hint for me, how to solve it?

 

[Marcos 4,909]

2 hours ago, eddi said:

Hello, a customer send an info, that this shop has the same problem. Dear eset-team, do you have a hint for me, how to solve it?

If it's your website, please scan the "classes" folder with ESET. If no threat is found, please provide the php files from that folder.