Description:
Suspicious code that uses the .split("").reverse().join("") trick to obfuscate injection of scripts that load malicious content from Pastebin.com.
The scripts may be identified by the moc.nibetsap substring which is reversed pastebin.com. Sometimes there may be additional layers of obfuscations that make detection of such reversed scripts less obvious. For example, this hex-encoded string x6Dx6Fx63x2Ex6Ex69x62x65x74x73x61x70 is just another representation of moc.nibetsap
For more information read out blog posts about reversed pastebin scripts.
Affecting: Any web site. We see this tricked used in many different attacks. Most prominent of them targeted WordPress and Magento sites.