Busy week for osCommerce in terms of malware. First, the div_colors string, then, the CreateCSS string, and now, we are seeing thousands of osCommerce sites infected with a malware pointing to http://khcol.com. This is how it looks like in an infected site:
We recommend that every osCommerce user check their sites and to take the proper steps to secure them (especially if using v2.2). The file_manager.php file needs to be removed, and the admin directory renamed and protected. We also recommend our malware scanner to verify if a site is infected. If it is, we can take care of it for you.
Update 1: Google already blacklisted more than 1 thousand sites because of this malware. We have identified a lot more already, so this number should grow very soon.
Update 2: Other domains being used in this attack: solomon-xl.cz.cc, thescannerantiv.com, searchableantiv.com, www1.checker-network-hard.cz.cc and many others.
We will post more details as we track this malware.