A client’s site apparently has js/spy.banker.kj malware on its basket/cart page. I found some code in View Source that matches code that is highlighted elsewhere as being the dodgy code – https://forum.eset.com/topic/35067-help-detecting-the-threat-jsspybankerkj-trojan/
I do not have a copy of the site locally and it is taking a while to download – I don’t have access to the site except through SSH and cpanel. On cpanel in the File manager, the search is only searching file names, not content. I have tried via SSH to grep the content with the likes of
rep -lrIi aHR0cHM6Ly93d3 public_html > outputfile.txt
find ./ -name "*.php" -exec grep -r -l -I "aHR0cHM6Ly93d3" {} ;
find / -type f -name "*.js" -exec grep -il 'aHR0cHM6Ly93d3' {}; > output.txt
grep -r "aHR0cHM6Ly93d3"
grep -rli "atob" *.php
but am getting errors like no such file etc:
[website@website-32 public_html]$ grep -lrIi aHR0cHM6Ly93d3 public_html > outputfile.txt
grep: public_html: No such file or directory
[website@website-32 public_html]$ grep -lrIi aHR0cHM6Ly93d3 outputfile.txt
[website@website-32 public_html]$ find ./ -name "*.php" -exec grep -r -l -I "aHR0cHM6Ly93d3" {}
> ^C
[website@website-32 public_html]$ find / -type f -name "*.js" -exec grep -il 'aHR0cHM6Ly93d3' {}; > output.txt
find: missing argument to -exec’`
[website@website-32 public_html]$ find / -type f -name "*.js" -exec grep -r -il 'aHR0cHM6Ly93d3' {}; > output.txt
find: missing argument to -exec’`
[website@website-32 public_html]$ cd lib
[website@website-32 lib]$ grep -r "aHR0cHM6Ly93d3" *.js
grep: *.js: No such file or directory
[website@website-32 lib]$ grep -r "aHR0cHM6Ly93d3"
[website@website-32 lib]$ grep -rli "atob" *.php
grep: *.php: No such file or directory
[website@website-32 lib]$
Can anyone suggest where to look for the source of the malware? Or how to grep successfully? Thanks!
submitted by /u/hawthornmage
[link] [comments]