dahms 0 Posted August 1, 2023 Share Posted August 1, 2023 Hi, We have been told by a customer that our site was not available for some devices when using ESET. Apparently the site is infected with JS/Spy.Banker.KJ trojan. Site address is : https://zespa.fr/ I have tried to make a copy of the whole site and run an scan on it using ESET scan feature but nothing is found except in the cache folder where all pages are cached (which makes sense then). Other than that, no threat seems to be found but we still have the warning when accessing the site so the js must be hidden somewhere. Can you guys help us locate the threat ? Thanks a lot, Best Link to comment Share on other sites More sharing options...
Administrators Marcos 5,277 Posted August 1, 2023 Administrators Share Posted August 1, 2023 The detection is correct. The malware can be encrypted and hiding anywhere, e.g. in a database as it was here: https://forum.eset.com/topic/36848-jsspybankerkn Link to comment Share on other sites More sharing options...
dahms 0 Posted August 1, 2023 Author Share Posted August 1, 2023 Thanks for your quick answer. I have access to the database through DBeaver but I don't know what to look for. Would you have any suggestions ? Also how can I be sure the malignant js is not located in the server files ? Thanks. Best, Link to comment Share on other sites More sharing options...
Administrators Marcos 5,277 Posted August 1, 2023 Administrators Share Posted August 1, 2023 It's probably this whole script that loads with the default html file: Link to comment Share on other sites More sharing options...
dahms 0 Posted August 1, 2023 Author Share Posted August 1, 2023 I have tried to find the js by making search (looking for "blob") in all the DB tables but found nothing. Since it seems to be injected in the Google Tag Manager script I have also tried to look up every GTM tags but nothing there as well. Please find as an attached file how the GTM script is implemented on the site. I have double checked and this is the right script directly from the implementation guide provided by Google. What would you recommend ? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,277 Posted August 1, 2023 Administrators Share Posted August 1, 2023 I would recommend contacting a website cleaning and monitoring service, such as sucuri.net. Link to comment Share on other sites More sharing options...
itman 1,751 Posted August 1, 2023 Share Posted August 1, 2023 Sucuri found magneto card stealing malware in multiple locations on the web site: https://sitecheck.sucuri.net/results/https/zespa.fr . Link to comment Share on other sites More sharing options...
dahms 0 Posted August 1, 2023 Author Share Posted August 1, 2023 Thanks for your help guys. I was already aware of Sucuri site check results as I have installed the plugin on the infected wordpress site. I have looked into website cleaning and monitoring services such as sucuri.net but those are quite expensive and do not seem to work for one-time intervention. Any other lead I could follow in order to solve the issue myself ? I have all the access required both for server and database files. Thanks ! Link to comment Share on other sites More sharing options...
itman 1,751 Posted August 1, 2023 Share Posted August 1, 2023 31 minutes ago, dahms said: Any other lead I could follow in order to solve the issue myself ? Sucuri has an article on how clean a web site of magneto malware: https://sucuri.net/guides/how-to-clean-hacked-magento/ Link to comment Share on other sites More sharing options...
Solution dahms 0 Posted August 2, 2023 Author Solution Share Posted August 2, 2023 Hi guys, Thanks for your help, I have found the issue. If that can help someone here is how : It was indeed located inside the database, in the wordpress "options" table. It was the value of one of the element from divi builder. I don't know how it was injected there but I have removed it. In order to locate it, I downloaded the whole database as SQL file and I used a code editor to bulk search some special terms in the whole database (like "atob" or "blob"). Have a good day ! Best. Link to comment Share on other sites More sharing options...
Recommended Posts