JS/Spy.Banker.KN

[Slowboy 0]

Hi,

We have had this issue on our website for a week now.

 

We had some web developers find and remove some javascript which looked like it was the issue but we are still getting the checkout pages blocked.

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
30/06/2023 8:01:32 am;HTTP filter;file;https://knightgroup.co.nz/checkout/cart;JS/Spy.Banker.KN trojan;connection terminated;DESKTOP-35G460M\Rob;Event occurred during an attempt to access the web by the application: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (652FBB385E69B25D40A17DF64CDC8520C3F9AABA).;0B7A033FBC33BC1763DF8489725C0331DCB0F9FD;
 

Can't find any relevant info about this.

Does anyone have a sample piece of the javascript that we should be looking for?

 

Thanks, Rob

[Marcos 4,841]

The script is likely obfuscated and can be located either in files or CMS database so it's impossible to tell where and what you should search for. Please look up other topics concerning JS/Spy.Banker here in the forum, e.g. https://forum.eset.com/topic/36831-jsspybankerkn.

[Slowboy 0]

Hi,

Have found it.

 

Its located in the core_config_data table. This is a Magento 2.2.11 site.

Regards, Rob

Edited June 29 by Slowboy

[itman 1,595]

5 hours ago, William Patrick said:

I got the same issue; may I know the keyword you did search on core_config_data table? how to locate the script? thanks in advance

Did you refer to this: https://sucuri.net/guides/how-to-clean-hacked-magento/ as I posted in the thread you created?

Also Sucuri can be engaged to clean your web site.