Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About

Malware entry: malware.reversed_pastebin

Description: Suspicious code that uses the .split("").reverse().join("") trick to obfuscate injection of scripts that load malicious content from Pastebin.com.

The scripts may be identified by the moc.nibetsap substring which is reversed pastebin.com. Sometimes there may be additional layers of obfuscations that make detection of such reversed scripts less obvious. For example, this hex-encoded string \x6D\x6F\x63​\x2E\x6E\x69\x62​\x65\x74\x73\x61\x70 is just another representation of moc.nibetsap

For more information read out blog posts about reversed pastebin scripts.



Affecting: Any web site. We see this tricked used in many different attacks. Most prominent of them targeted WordPress and Magento sites.

For all our web-based malware signatures, go here: http://labs.sucuri.net/?malwaredb