behman 0 Posted March 8, 2023 Share Posted March 8, 2023 https://www.gensace.de/checkout/onepage/ This web page may contain dangerous content that can provide remote access to an infected device, leak sensitive data from the device or harm the targeted device. Threat: JS/Spy.Banker.KT trojan Access to the web page has been blocked. Your computer is safe. how can i find the js trojan,should be zopim? or the google ga code? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,189 Posted March 8, 2023 Administrators Share Posted March 8, 2023 If you are an administrator of the website, searching for "var a0a=" will help you locate the malicious JS. Link to comment Share on other sites More sharing options...
behman 0 Posted March 8, 2023 Author Share Posted March 8, 2023 yes ,i'm the administrator. as you say . i cant find the string "var a0a=". i use grep -r "var a0a=" in server. Link to comment Share on other sites More sharing options...
behman 0 Posted March 8, 2023 Author Share Posted March 8, 2023 if you have not item in cart.it will rediect to cart page .so you need to add item to cart . hxxps://www.gensace.de/checkout/onepage/ Link to comment Share on other sites More sharing options...
Administrators Marcos 5,189 Posted March 8, 2023 Administrators Share Posted March 8, 2023 The threat may be encrypted or hiding in a WP db for instance. We'd suggest to start with checking the main WP index.php for suspicious code. If you don't find any, try searching for functions atob/btoa and for code accessing the db, e.g. $wpdb->get_var("SELECT Link to comment Share on other sites More sharing options...
behman 0 Posted March 9, 2023 Author Share Posted March 9, 2023 it is mgt .not wp Link to comment Share on other sites More sharing options...
behman 0 Posted March 9, 2023 Author Share Posted March 9, 2023 hey . i search the whole db. but i have not found the string. maybe its false positive? Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 5,189 Posted March 9, 2023 Administrators Solution Share Posted March 9, 2023 The detection is correct. The malicious JS is actually there: Link to comment Share on other sites More sharing options...
behman 0 Posted March 9, 2023 Author Share Posted March 9, 2023 thx,marcos. i found it. they confound the code Link to comment Share on other sites More sharing options...
Administrators Marcos 5,189 Posted March 9, 2023 Administrators Share Posted March 9, 2023 Just now, behman said: thx,marcos. i found it. they confound the code Where did you eventually find it? It might help other users with this infection. Link to comment Share on other sites More sharing options...
behman 0 Posted March 9, 2023 Author Share Posted March 9, 2023 Entry file。app.php mage.php Link to comment Share on other sites More sharing options...
Administrators Marcos 5,189 Posted March 9, 2023 Administrators Share Posted March 9, 2023 Thanks. Did you also find out why you could not initially find the malicious JS by the string I provided? Was it encrypted? Link to comment Share on other sites More sharing options...
Recommended Posts