Threat: JS/Spy.Banker.KT trojan

[behman 0]

 https://www.gensace.de/checkout/onepage/ 

This web page may contain dangerous content that can provide remote access to an infected device, leak sensitive data from the device or harm the targeted device.
Threat: JS/Spy.Banker.KT trojan
Access to the web page has been blocked. Your computer is safe.

how can i find the js trojan,should be zopim? or the google ga code?

[Marcos 5,074]

If you are an administrator of the website, searching for "var a0a=" will help you locate the malicious JS.

[behman 0]

yes ,i'm the administrator.

as you say . i cant find the string "var a0a=". i use grep -r "var a0a=" in server.

[behman 0]

if you have not item in cart.it will rediect to cart page .so you need to add item to cart . 

 hxxps://www.gensace.de/checkout/onepage/ 

[Marcos 5,074]

The threat may be encrypted or hiding in a WP db for instance. We'd suggest to start with checking the main WP index.php for suspicious code. If you don't find any, try searching for functions atob/btoa and for code accessing the db, e.g.
$wpdb->get_var("SELECT

[behman 0]

it is mgt .not wp

[behman 0]

hey . i search the whole db. but i have not found the string.  maybe its  false positive？

 

[Marcos 5,074]

The detection is correct. The malicious JS is actually there:

 

[behman 0]

thx,marcos. i found it. they confound the code

 

[Marcos 5,074]

Just now, behman said:

thx,marcos. i found it. they confound the code

 

Where did you eventually find it? It might help other users with this infection.

[behman 0]

Entry file。app.php  mage.php

[Marcos 5,074]

Thanks. Did you also find out why you could not initially find the malicious JS by the string I provided? Was it encrypted?