Ange 0 Posted January 9, 2023 Share Posted January 9, 2023 (edited) Can somebody please have a look for me to help find it? Url is in the screenshot - I don't want to post the URL directly in case Google ranks it! Can I get a code line number of where the detection was made? Edited January 9, 2023 by Ange Add information Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 5,295 Posted January 10, 2023 Administrators Solution Share Posted January 10, 2023 Searching for "parentNode.insertBefore(po, s)" should help you locate the malicious JS. Link to comment Share on other sites More sharing options...
Ange 0 Posted January 10, 2023 Author Share Posted January 10, 2023 Hey Marcos, Okay thank you - that gives me a starting point. This could pertain to a number of code lines in our script. I'll list them below - can you please let me know what you think could be triggering it? Is it possible that I ESET is triggering a false positive? Quantcast Tag </script> <!-- Quantcast Tag --> <_script type="text/javascript"> window._qevents = window._qevents || []; (function() { var elem = document.createElement('script'); elem.src = (document.location.protocol == "https:" ? "https://secure" : "hxxp://edge") + ".quantserve.com/quant.js"; elem.async = true; elem.type = "text/javascript"; var scpt = document.getElementsByTagName('script')[0]; scpt.parentNode.insertBefore(elem, scpt); })(); window._qevents.push({ qacct:"p-0yt8t04BdHBHy", uid:"" }); </script> Facebook Tag </style> <!-- Facebook Business Extension for Magento 2 --> <!-- Facebook Pixel Code --> <_script> !function(f,b,e,v,n,t,s){if(f.fbq)return;n=f.fbq=function(){n.callMethod? n.callMethod.apply(n,arguments):n.queue.push(arguments)};if(!f._fbq)f._fbq=n; n.push=n;n.loaded=!0;n.version='2.0';n.queue=[];t=b.createElement(e);t.async=!0; t.src=v;s=b.getElementsByTagName(e)[0];s.parentNode.insertBefore(t,s)}(window, document,'script','//connect.facebook.net/en_US/fbevents.js'); fbq( 'init', '260325074565775', {}, {agent: 'magento2-2.4.2-1.2.5' } ); fbq('track', 'PageView', { source: "magento2", version: "2.4.2", pluginVersion: "1.2.5" }); </script> <noscript> <img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=260325074565775&ev=PageView&noscript=1&a=magento2-2.4.2-1.2.5" /> </noscript> <!-- End Facebook Pixel Code --> Yotpo Tag <!-- Yotpo - Widget Script --> <_script> (function e(){var e=document.createElement("script");e.type="text/javascript",e.async=true,e.src="//staticw2.yotpo.com/MiYqr6pLo4uM7oXnMnqaO13o5qy27pLQHQp9o9zC/widget.js";var t=document.getElementsByTagName("script")[0];t.parentNode.insertBefore(e,t)})(); </script> Link to comment Share on other sites More sharing options...
Administrators Marcos 5,295 Posted January 10, 2023 Administrators Share Posted January 10, 2023 Link to comment Share on other sites More sharing options...
Ange 0 Posted January 10, 2023 Author Share Posted January 10, 2023 Hey Marco, Thank you for locating that! Only after I replied I also found this script. Is this definitely a virus code, or could it be a false positive? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,295 Posted January 10, 2023 Administrators Share Posted January 10, 2023 It's definitely malicious, the script loads a JS from a website blocked by 2 vendors: Nightowl 1 Link to comment Share on other sites More sharing options...
Ange 0 Posted January 10, 2023 Author Share Posted January 10, 2023 Hey Marco, Wow, thanks so much for your assistance! You are brilliant! Link to comment Share on other sites More sharing options...
hegoss 0 Posted March 17, 2023 Share Posted March 17, 2023 Hello, Eset system detected on following page: https://nastartujes.cz/order JS/Spy.Banker.IV Could you please help me how to localize the source to remove it? Thanks Link to comment Share on other sites More sharing options...
Administrators Marcos 5,295 Posted March 17, 2023 Administrators Share Posted March 17, 2023 32 minutes ago, hegoss said: Eset system detected on following page: https://nastartujes.cz/order JS/Spy.Banker.IV Could you please help me how to localize the source to remove it? Searching for "var _0x5aa5=" should help you locate the malicious JS. Link to comment Share on other sites More sharing options...
hegoss 0 Posted March 17, 2023 Share Posted March 17, 2023 Sorry , but I cannot find it in HTML source code of that page. Od did you mean somewhere else? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,295 Posted March 17, 2023 Administrators Share Posted March 17, 2023 It may be in an encrypted form on the server, in the CMS db, etc. See https://forum.eset.com/topic/35686-threat-jsspybankerkt-trojan:Where did you eventually find it? Entry file app.php , mage.php. Link to comment Share on other sites More sharing options...
hegoss 0 Posted March 28, 2023 Share Posted March 28, 2023 Hello eset tema again. Could you please confirm that var _0x5aa5 is correct sequence? We download whole website, searched entire website, database, but there is no such sequence, nor app.php or mage.php file. https://nastartujes.cz/order is the url whe trojan horse is detected Thank you Link to comment Share on other sites More sharing options...
Administrators Marcos 5,295 Posted March 28, 2023 Administrators Share Posted March 28, 2023 1 hour ago, hegoss said: https://nastartujes.cz/order is the url whe trojan horse is detected A malicious JavaScript is there: Link to comment Share on other sites More sharing options...
hegoss 0 Posted March 28, 2023 Share Posted March 28, 2023 Thanks, but how to find it? Link to comment Share on other sites More sharing options...
hegoss 0 Posted March 29, 2023 Share Posted March 29, 2023 I found it finally. I was in classes directory Link to comment Share on other sites More sharing options...
eddi 0 Posted May 23, 2023 Share Posted May 23, 2023 Hello, a customer send an info, that this shop has the same problem. Dear eset-team, do you have a hint for me, how to solve it? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,295 Posted May 23, 2023 Administrators Share Posted May 23, 2023 2 hours ago, eddi said: Hello, a customer send an info, that this shop has the same problem. Dear eset-team, do you have a hint for me, how to solve it? If it's your website, please scan the "classes" folder with ESET. If no threat is found, please provide the php files from that folder. Link to comment Share on other sites More sharing options...
Recommended Posts