Jump to content

Help Detecting the Threat: JS/Spy.Banker.KJ trojan


Ange
Go to solution Solved by Marcos,

Recommended Posts

Can somebody please have a look for me to help find it? Url is in the screenshot - I don't want to post the URL directly in case Google ranks it!

Can I get a code line number of where the detection was made?

js spy banker kj trojan 2.JPG

Edited by Ange
Add information
Link to comment
Share on other sites

Hey Marcos, 

Okay thank you - that gives me a starting point. This could pertain to a number of code lines in our script.

I'll list them below - can you please let me know what you think could be triggering it? Is it possible that I ESET is triggering a false positive?

Quantcast Tag

</script>
  <!-- Quantcast Tag -->
  <_script type="text/javascript">
  window._qevents = window._qevents || [];
   
  (function() {
  var elem = document.createElement('script');
  elem.src = (document.location.protocol == "https:" ? "https://secure" : "hxxp://edge") + ".quantserve.com/quant.js";
  elem.async = true;
  elem.type = "text/javascript";
  var scpt = document.getElementsByTagName('script')[0];
  scpt.parentNode.insertBefore(elem, scpt);
  })();
   
  window._qevents.push({
  qacct:"p-0yt8t04BdHBHy",
  uid:""
  });
  </script>

Facebook Tag

</style> <!-- Facebook Business Extension for Magento 2 -->
  <!-- Facebook Pixel Code -->
  <_script>
  !function(f,b,e,v,n,t,s){if(f.fbq)return;n=f.fbq=function(){n.callMethod?
  n.callMethod.apply(n,arguments):n.queue.push(arguments)};if(!f._fbq)f._fbq=n;
  n.push=n;n.loaded=!0;n.version='2.0';n.queue=[];t=b.createElement(e);t.async=!0;
  t.src=v;s=b.getElementsByTagName(e)[0];s.parentNode.insertBefore(t,s)}(window,
  document,'script','//connect.facebook.net/en_US/fbevents.js');
  fbq(
  'init',
  '260325074565775',
  {},
  {agent: 'magento2-2.4.2-1.2.5' }
  );
  fbq('track', 'PageView', {
  source: "magento2",
  version: "2.4.2",
  pluginVersion: "1.2.5"
  });
  </script>
  <noscript>
  <img height="1" width="1" style="display:none"
  src="https://www.facebook.com/tr?id=260325074565775&ev=PageView&noscript=1&a=magento2-2.4.2-1.2.5" />
  </noscript>
 

<!-- End Facebook Pixel Code -->

Yotpo Tag

 

<!-- Yotpo - Widget Script -->
  <_script>
  (function e(){var e=document.createElement("script");e.type="text/javascript",e.async=true,e.src="//staticw2.yotpo.com/MiYqr6pLo4uM7oXnMnqaO13o5qy27pLQHQp9o9zC/widget.js";var t=document.getElementsByTagName("script")[0];t.parentNode.insertBefore(e,t)})();
  </script>
Link to comment
Share on other sites

Hey Marco,

Thank you for locating that! Only after I replied I also found this script.
 

Is this definitely a virus code, or could it be a false positive?

Link to comment
Share on other sites

  • 2 months later...

Hello,

Eset system detected on following page: https://nastartujes.cz/order   JS/Spy.Banker.IV  Could you please help me how to localize the source to remove it?

 

Thanks 

Link to comment
Share on other sites

  • Administrators
32 minutes ago, hegoss said:

Eset system detected on following page: https://nastartujes.cz/order   JS/Spy.Banker.IV  Could you please help me how to localize the source to remove it?

Searching for "var _0x5aa5=" should help you locate the malicious JS.

image.png

Link to comment
Share on other sites

  • 2 weeks later...

Hello eset tema again. Could you please confirm that var _0x5aa5  is correct sequence? We download whole website, searched entire website, database, but there is no such sequence, nor app.php or mage.php file.

https://nastartujes.cz/order is the url whe trojan horse is detected

 

Thank you

 

Link to comment
Share on other sites

  • Administrators
1 hour ago, hegoss said:

https://nastartujes.cz/order is the url whe trojan horse is detected

A malicious JavaScript is there:

image.png

Link to comment
Share on other sites

  • 1 month later...

Hello, a customer send an info, that this shop has the same problem. Dear eset-team, do you have a hint for me, how to solve it?2023-05-23-18_32_58-Warnung-ESET-Interne

 

Link to comment
Share on other sites

  • Administrators
2 hours ago, eddi said:

Hello, a customer send an info, that this shop has the same problem. Dear eset-team, do you have a hint for me, how to solve it?

If it's your website, please scan the "classes" folder with ESET. If no threat is found, please provide the php files from that folder.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...