Jump to content

Help Detecting the Threat: JS/Spy.Banker.KJ trojan

Ange
 Share
Go to solution Solved by Marcos,

Recommended Posts

Ange

Ange 0

Posted
Posted (edited)

Can somebody please have a look for me to help find it? Url is in the screenshot - I don't want to post the URL directly in case Google ranks it!

Can I get a code line number of where the detection was made?

js spy banker kj trojan 2.JPG

Edited by Ange
Add information
Link to comment
Share on other sites
  • Administrators
  • Solution
Marcos

Marcos 4,553

Posted
  • Administrators
  • Solution
Posted

Searching for "parentNode.insertBefore(po, s)" should help you locate the malicious JS.

Link to comment
Share on other sites
Ange

Ange 0

Posted
  • Author
Posted

Hey Marcos, 

Okay thank you - that gives me a starting point. This could pertain to a number of code lines in our script.

I'll list them below - can you please let me know what you think could be triggering it? Is it possible that I ESET is triggering a false positive?

Quantcast Tag

</script>
  <!-- Quantcast Tag -->
  <_script type="text/javascript">
  window._qevents = window._qevents || [];
   
  (function() {
  var elem = document.createElement('script');
  elem.src = (document.location.protocol == "https:" ? "https://secure" : "hxxp://edge") + ".quantserve.com/quant.js";
  elem.async = true;
  elem.type = "text/javascript";
  var scpt = document.getElementsByTagName('script')[0];
  scpt.parentNode.insertBefore(elem, scpt);
  })();
   
  window._qevents.push({
  qacct:"p-0yt8t04BdHBHy",
  uid:""
  });
  </script>

Facebook Tag

</style> <!-- Facebook Business Extension for Magento 2 -->
  <!-- Facebook Pixel Code -->
  <_script>
  !function(f,b,e,v,n,t,s){if(f.fbq)return;n=f.fbq=function(){n.callMethod?
  n.callMethod.apply(n,arguments):n.queue.push(arguments)};if(!f._fbq)f._fbq=n;
  n.push=n;n.loaded=!0;n.version='2.0';n.queue=[];t=b.createElement(e);t.async=!0;
  t.src=v;s=b.getElementsByTagName(e)[0];s.parentNode.insertBefore(t,s)}(window,
  document,'script','//connect.facebook.net/en_US/fbevents.js');
  fbq(
  'init',
  '260325074565775',
  {},
  {agent: 'magento2-2.4.2-1.2.5' }
  );
  fbq('track', 'PageView', {
  source: "magento2",
  version: "2.4.2",
  pluginVersion: "1.2.5"
  });
  </script>
  <noscript>
  <img height="1" width="1" style="display:none"
  src="https://www.facebook.com/tr?id=260325074565775&ev=PageView&noscript=1&a=magento2-2.4.2-1.2.5" />
  </noscript>
 

<!-- End Facebook Pixel Code -->

Yotpo Tag

 

<!-- Yotpo - Widget Script -->
  <_script>
  (function e(){var e=document.createElement("script");e.type="text/javascript",e.async=true,e.src="//staticw2.yotpo.com/MiYqr6pLo4uM7oXnMnqaO13o5qy27pLQHQp9o9zC/widget.js";var t=document.getElementsByTagName("script")[0];t.parentNode.insertBefore(e,t)})();
  </script>
Link to comment
Share on other sites
Ange

Ange 0

Posted
  • Author
Posted

Hey Marco,

Thank you for locating that! Only after I replied I also found this script.
 

Is this definitely a virus code, or could it be a false positive?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...