Malware – how to find the offending files

A client’s site apparently has js/spy.banker.kj malware on its basket/cart page. I found some code in View Source that matches code that is highlighted elsewhere as being the dodgy code – https://forum.eset.com/topic/35067-help-detecting-the-threat-jsspybankerkj-trojan/

I do not have a copy of the site locally and it is taking a while to download – I don’t have access to the site except through SSH and cpanel. On cpanel in the File manager, the search is only searching file names, not content. I have tried via SSH to grep the content with the likes of

rep -lrIi aHR0cHM6Ly93d3 public_html > outputfile.txt

find ./ -name "*.php" -exec grep -r -l -I "aHR0cHM6Ly93d3" {} ;

find / -type f -name "*.js" -exec grep -il 'aHR0cHM6Ly93d3' {}; > output.txt

grep -r "aHR0cHM6Ly93d3"

grep -rli "atob" *.php

but am getting errors like no such file etc:

[website@website-32 public_html]$ grep -lrIi aHR0cHM6Ly93d3 public_html > outputfile.txt

grep: public_html: No such file or directory

[website@website-32 public_html]$ grep -lrIi aHR0cHM6Ly93d3 outputfile.txt

[website@website-32 public_html]$ find ./ -name "*.php" -exec grep -r -l -I "aHR0cHM6Ly93d3" {}

> ^C

[website@website-32 public_html]$ find / -type f -name "*.js" -exec grep -il 'aHR0cHM6Ly93d3' {}; > output.txt

find: missing argument to -exec’`

[website@website-32 public_html]$ find / -type f -name "*.js" -exec grep -r -il 'aHR0cHM6Ly93d3' {}; > output.txt

find: missing argument to -exec’`

[website@website-32 public_html]$ cd lib

[website@website-32 lib]$ grep -r "aHR0cHM6Ly93d3" *.js

grep: *.js: No such file or directory

[website@website-32 lib]$ grep -r "aHR0cHM6Ly93d3"

[website@website-32 lib]$ grep -rli "atob" *.php

grep: *.php: No such file or directory

[website@website-32 lib]$

Can anyone suggest where to look for the source of the malware? Or how to grep successfully? Thanks!

submitted by /u/hawthornmage
[link] [comments]