Karl P 0 Posted May 11, 2023 Share Posted May 11, 2023 (edited) Hi I'm new here, and a novice, my Hosting company couldn't locate the Trojan on my website and has requested me to assist by requesting information to locating it by the forum. My site is a prestashop 1.7.8.2 The problem was found by a customer who was running ESET on her system. JS.Banker.IV Trojan. Was flagged by ESET. Where and how can the code be identified and removed please. Many thanks in advance. Karl Edited May 11, 2023 by Karl P Additional information Link to comment Share on other sites More sharing options...
Nevermind 8 Posted May 11, 2023 Share Posted May 11, 2023 Well, you can start with telling us what the detected URL is. Link to comment Share on other sites More sharing options...
Maciej 0 Posted May 12, 2023 Share Posted May 12, 2023 How to inform You about URL site ? I have the same problem with Prestashop 1.7.7.x One domain on VPS serwer is infected, secound with the same version are not infected.... how it is posible ? I have another problem with ESET software. Customer haved problem with js.Banker.IV when he wants to enter in cart site, but I dont have any problem with this site. I install trial version ESET Smart Security and nothing to see. Site working fine. Why my customer haved problem with my site, but I dont have this problem? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,231 Posted May 12, 2023 Administrators Share Posted May 12, 2023 The detection is correct. However, we don't have such infected web server at disposal in order to tell where exactly the malware could be hiding. It could be in a CMS db, in a plain or encrypted form, etc. If you provide the website url, we could at least tell you a part of the malicious code that might help you locate the malicious JS (or not, e.g. if it's encrypted on the server). Link to comment Share on other sites More sharing options...
Maciej 0 Posted May 12, 2023 Share Posted May 12, 2023 Please check site https://aura.szczecin.pl On https://www.virustotal.com/gui/url/304624c05d24d485e27728b685dce8712200991538e833e712713fe585a4b0dc?nocache=1 this site dont have infected. If it posible please remove alert from ESET database. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,231 Posted May 12, 2023 Administrators Share Posted May 12, 2023 A scan of an infected file shows that more AVs detect it: Link to comment Share on other sites More sharing options...
Maciej 0 Posted May 12, 2023 Share Posted May 12, 2023 I see only thats on raport (screen). Link to comment Share on other sites More sharing options...
Administrators Marcos 5,231 Posted May 12, 2023 Administrators Share Posted May 12, 2023 6 minutes ago, Maciej said: I see only thats on raport (screen). That's because you have checked if the website is blacklisted by other AVs but it doesn't tell anything about malware in files that are on the website. If a website gets compromised and malware is injected, the whole domain usually doesn't get blacklisted. Link to comment Share on other sites More sharing options...
Nevermind 8 Posted May 12, 2023 Share Posted May 12, 2023 53 minutes ago, Maciej said: Why my customer haved problem with my site, but I dont have this problem? Because you do not have control over logic who gets infected content and who not. The attacker has. And often if the (malicious) script finds out you are logged in WordPress as admin, you get to see only the clean version. But there are more tactics like how many times you visited the page, how much time elapsed from your previous visit, if your IP is on some kind of blacklist etc etc. Link to comment Share on other sites More sharing options...
Recommended Posts