SiteCheck Signatures

  1. Home
  2. Docs
  3. SiteCheck Signatures
  4. malware.reversed_pastebin


Suspicious code that uses the .split("").reverse().join("") trick to obfuscate injection of scripts that load malicious content from

The scripts may be identified by the moc.nibetsap substring which is reversed Sometimes there may be additional layers of obfuscations that make detection of such reversed scripts less obvious. For example, this hex-encoded string x6Dx6Fx63​x2Ex6Ex69x62​x65x74x73x61x70 is just another representation of moc.nibetsap

For more information read out blog posts about reversed pastebin scripts.

Affecting: Any web site. We see this tricked used in many different attacks. Most prominent of them targeted WordPress and Magento sites.