I am running moodle 3.8.3 (Build: 20200511) on linux fully patched centos 7.8. Several ( but not all ) clients get an AV Eset warning about a Trojan by the name of HTML/ScrInject.B on our site.
I can trigger the Eset Av trojan warning by doing a course search for the term 'pre' .
I looked at the web console and the site does a couple of suspicious and unexpected site lookups to GET js from https://onlinekey.biz/1f9f5ee62aefca3cb1.js and also to https://criticalltech.com/metric/ .
Why would a site course search make GET connections to those two sites? I can also find those two sites in the sites '/moodledata/cache/cachestore_file/default_application/core_htmlpurifier/5fc-cache/5fc255ad852c8bcb9dbf94fd6e32ea8abc7f3923.cache' file.
Does the 'core_htmlpurifier' it mean that moodle has already neutralized the trojan ?
But more importantly, how do I find where on my site this js gets injected from? I have done a website and a full server string search and not surfaced any file on disk that contains any of those two URLs.
Can I search the mysql db for those terms as well? Or are they maybe obfuscated? Possibly base64 encoded? Any help and pointers on how I can rid our site from that pest?
Thanks for any hints.