Jump to content

Help Detecting the Threat: JS/Spy.Banker.KJ trojan


Go to solution Solved by Marcos,

Recommended Posts

Posted (edited)

Can somebody please have a look for me to help find it? Url is in the screenshot - I don't want to post the URL directly in case Google ranks it!

Can I get a code line number of where the detection was made?

js spy banker kj trojan 2.JPG

Edited by Ange
Add information
  • Administrators
  • Solution
Posted

Searching for "parentNode.insertBefore(po, s)" should help you locate the malicious JS.

Posted

Hey Marcos, 

Okay thank you - that gives me a starting point. This could pertain to a number of code lines in our script.

I'll list them below - can you please let me know what you think could be triggering it? Is it possible that I ESET is triggering a false positive?

Quantcast Tag

</script>
  <!-- Quantcast Tag -->
  <_script type="text/javascript">
  window._qevents = window._qevents || [];
   
  (function() {
  var elem = document.createElement('script');
  elem.src = (document.location.protocol == "https:" ? "https://secure" : "hxxp://edge") + ".quantserve.com/quant.js";
  elem.async = true;
  elem.type = "text/javascript";
  var scpt = document.getElementsByTagName('script')[0];
  scpt.parentNode.insertBefore(elem, scpt);
  })();
   
  window._qevents.push({
  qacct:"p-0yt8t04BdHBHy",
  uid:""
  });
  </script>

Facebook Tag

</style> <!-- Facebook Business Extension for Magento 2 -->
  <!-- Facebook Pixel Code -->
  <_script>
  !function(f,b,e,v,n,t,s){if(f.fbq)return;n=f.fbq=function(){n.callMethod?
  n.callMethod.apply(n,arguments):n.queue.push(arguments)};if(!f._fbq)f._fbq=n;
  n.push=n;n.loaded=!0;n.version='2.0';n.queue=[];t=b.createElement(e);t.async=!0;
  t.src=v;s=b.getElementsByTagName(e)[0];s.parentNode.insertBefore(t,s)}(window,
  document,'script','//connect.facebook.net/en_US/fbevents.js');
  fbq(
  'init',
  '260325074565775',
  {},
  {agent: 'magento2-2.4.2-1.2.5' }
  );
  fbq('track', 'PageView', {
  source: "magento2",
  version: "2.4.2",
  pluginVersion: "1.2.5"
  });
  </script>
  <noscript>
  <img height="1" width="1" style="display:none"
  src="https://www.facebook.com/tr?id=260325074565775&ev=PageView&noscript=1&a=magento2-2.4.2-1.2.5" />
  </noscript>
 

<!-- End Facebook Pixel Code -->

Yotpo Tag

 

<!-- Yotpo - Widget Script -->
  <_script>
  (function e(){var e=document.createElement("script");e.type="text/javascript",e.async=true,e.src="//staticw2.yotpo.com/MiYqr6pLo4uM7oXnMnqaO13o5qy27pLQHQp9o9zC/widget.js";var t=document.getElementsByTagName("script")[0];t.parentNode.insertBefore(e,t)})();
  </script>
Posted

Hey Marco,

Thank you for locating that! Only after I replied I also found this script.
 

Is this definitely a virus code, or could it be a false positive?

  • Administrators
Posted

It's definitely malicious, the script loads a JS from a website blocked by 2 vendors:

image.png

Posted

Hey Marco,

Wow, thanks so much for your assistance! You are brilliant!

  • 2 months later...
Posted

Hello,

Eset system detected on following page: https://nastartujes.cz/order   JS/Spy.Banker.IV  Could you please help me how to localize the source to remove it?

 

Thanks 

  • Administrators
Posted
32 minutes ago, hegoss said:

Eset system detected on following page: https://nastartujes.cz/order   JS/Spy.Banker.IV  Could you please help me how to localize the source to remove it?

Searching for "var _0x5aa5=" should help you locate the malicious JS.

image.png

Posted

Sorry , but I cannot find it in HTML source code of that page. :(  Od did you mean somewhere else?

  • 2 weeks later...
Posted

Hello eset tema again. Could you please confirm that var _0x5aa5  is correct sequence? We download whole website, searched entire website, database, but there is no such sequence, nor app.php or mage.php file.

https://nastartujes.cz/order is the url whe trojan horse is detected

 

Thank you

 

  • Administrators
Posted
1 hour ago, hegoss said:

https://nastartujes.cz/order is the url whe trojan horse is detected

A malicious JavaScript is there:

image.png

Posted

I found it finally. I was in classes directory

  • 1 month later...
Posted

Hello, a customer send an info, that this shop has the same problem. Dear eset-team, do you have a hint for me, how to solve it?2023-05-23-18_32_58-Warnung-ESET-Interne

 

  • Administrators
Posted
2 hours ago, eddi said:

Hello, a customer send an info, that this shop has the same problem. Dear eset-team, do you have a hint for me, how to solve it?

If it's your website, please scan the "classes" folder with ESET. If no threat is found, please provide the php files from that folder.

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...