Ange 0 Posted January 9, 2023 Posted January 9, 2023 (edited) Can somebody please have a look for me to help find it? Url is in the screenshot - I don't want to post the URL directly in case Google ranks it! Can I get a code line number of where the detection was made? Edited January 9, 2023 by Ange Add information
Administrators Solution Marcos 5,739 Posted January 10, 2023 Administrators Solution Posted January 10, 2023 Searching for "parentNode.insertBefore(po, s)" should help you locate the malicious JS.
Ange 0 Posted January 10, 2023 Author Posted January 10, 2023 Hey Marcos, Okay thank you - that gives me a starting point. This could pertain to a number of code lines in our script. I'll list them below - can you please let me know what you think could be triggering it? Is it possible that I ESET is triggering a false positive? Quantcast Tag </script> <!-- Quantcast Tag --> <_script type="text/javascript"> window._qevents = window._qevents || []; (function() { var elem = document.createElement('script'); elem.src = (document.location.protocol == "https:" ? "https://secure" : "hxxp://edge") + ".quantserve.com/quant.js"; elem.async = true; elem.type = "text/javascript"; var scpt = document.getElementsByTagName('script')[0]; scpt.parentNode.insertBefore(elem, scpt); })(); window._qevents.push({ qacct:"p-0yt8t04BdHBHy", uid:"" }); </script> Facebook Tag </style> <!-- Facebook Business Extension for Magento 2 --> <!-- Facebook Pixel Code --> <_script> !function(f,b,e,v,n,t,s){if(f.fbq)return;n=f.fbq=function(){n.callMethod? n.callMethod.apply(n,arguments):n.queue.push(arguments)};if(!f._fbq)f._fbq=n; n.push=n;n.loaded=!0;n.version='2.0';n.queue=[];t=b.createElement(e);t.async=!0; t.src=v;s=b.getElementsByTagName(e)[0];s.parentNode.insertBefore(t,s)}(window, document,'script','//connect.facebook.net/en_US/fbevents.js'); fbq( 'init', '260325074565775', {}, {agent: 'magento2-2.4.2-1.2.5' } ); fbq('track', 'PageView', { source: "magento2", version: "2.4.2", pluginVersion: "1.2.5" }); </script> <noscript> <img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=260325074565775&ev=PageView&noscript=1&a=magento2-2.4.2-1.2.5" /> </noscript> <!-- End Facebook Pixel Code --> Yotpo Tag <!-- Yotpo - Widget Script --> <_script> (function e(){var e=document.createElement("script");e.type="text/javascript",e.async=true,e.src="//staticw2.yotpo.com/MiYqr6pLo4uM7oXnMnqaO13o5qy27pLQHQp9o9zC/widget.js";var t=document.getElementsByTagName("script")[0];t.parentNode.insertBefore(e,t)})(); </script>
Ange 0 Posted January 10, 2023 Author Posted January 10, 2023 Hey Marco, Thank you for locating that! Only after I replied I also found this script. Is this definitely a virus code, or could it be a false positive?
Administrators Marcos 5,739 Posted January 10, 2023 Administrators Posted January 10, 2023 It's definitely malicious, the script loads a JS from a website blocked by 2 vendors: Nightowl 1
Ange 0 Posted January 10, 2023 Author Posted January 10, 2023 Hey Marco, Wow, thanks so much for your assistance! You are brilliant!
hegoss 0 Posted March 17, 2023 Posted March 17, 2023 Hello, Eset system detected on following page: https://nastartujes.cz/order JS/Spy.Banker.IV Could you please help me how to localize the source to remove it? Thanks
Administrators Marcos 5,739 Posted March 17, 2023 Administrators Posted March 17, 2023 32 minutes ago, hegoss said: Eset system detected on following page: https://nastartujes.cz/order JS/Spy.Banker.IV Could you please help me how to localize the source to remove it? Searching for "var _0x5aa5=" should help you locate the malicious JS.
hegoss 0 Posted March 17, 2023 Posted March 17, 2023 Sorry , but I cannot find it in HTML source code of that page. Od did you mean somewhere else?
Administrators Marcos 5,739 Posted March 17, 2023 Administrators Posted March 17, 2023 It may be in an encrypted form on the server, in the CMS db, etc. See https://forum.eset.com/topic/35686-threat-jsspybankerkt-trojan:Where did you eventually find it? Entry file app.php , mage.php.
hegoss 0 Posted March 28, 2023 Posted March 28, 2023 Hello eset tema again. Could you please confirm that var _0x5aa5 is correct sequence? We download whole website, searched entire website, database, but there is no such sequence, nor app.php or mage.php file. https://nastartujes.cz/order is the url whe trojan horse is detected Thank you
Administrators Marcos 5,739 Posted March 28, 2023 Administrators Posted March 28, 2023 1 hour ago, hegoss said: https://nastartujes.cz/order is the url whe trojan horse is detected A malicious JavaScript is there:
eddi 0 Posted May 23, 2023 Posted May 23, 2023 Hello, a customer send an info, that this shop has the same problem. Dear eset-team, do you have a hint for me, how to solve it?
Administrators Marcos 5,739 Posted May 23, 2023 Administrators Posted May 23, 2023 2 hours ago, eddi said: Hello, a customer send an info, that this shop has the same problem. Dear eset-team, do you have a hint for me, how to solve it? If it's your website, please scan the "classes" folder with ESET. If no threat is found, please provide the php files from that folder.
Recommended Posts