Jump to content


Recommended Posts


We have had this issue on our website for a week now.



We had some web developers find and remove some javascript which looked like it was the issue but we are still getting the checkout pages blocked.

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
30/06/2023 8:01:32 am;HTTP filter;file;https://knightgroup.co.nz/checkout/cart;JS/Spy.Banker.KN trojan;connection terminated;DESKTOP-35G460M\Rob;Event occurred during an attempt to access the web by the application: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (652FBB385E69B25D40A17DF64CDC8520C3F9AABA).;0B7A033FBC33BC1763DF8489725C0331DCB0F9FD;

Can't find any relevant info about this.

Does anyone have a sample piece of the javascript that we should be looking for?


Thanks, Rob

Link to comment
Share on other sites

  • Administrators

The script is likely obfuscated and can be located either in files or CMS database so it's impossible to tell where and what you should search for. Please look up other topics concerning JS/Spy.Banker here in the forum, e.g. https://forum.eset.com/topic/36831-jsspybankerkn.

Link to comment
Share on other sites

Posted (edited)


Have found it.



Its located in the core_config_data table. This is a Magento 2.2.11 site.

Regards, Rob

Edited by Slowboy
Link to comment
Share on other sites

5 hours ago, William Patrick said:

I got the same issue; may I know the keyword you did search on core_config_data table? how to locate the script? thanks in advance

Did you refer to this: https://sucuri.net/guides/how-to-clean-hacked-magento/ as I posted in the thread you created?

Also Sucuri can be engaged to clean your web site.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...