Security researchers warn that multiple osCommerce websites have been compromised during the last few days. The rogue code injected into their pages attempts to infect visitors with malware served from an external domain.
The compromises have been detected by Sucuri Security, a company selling Website integrity monitoring solutions. An investigation into the incidents is ongoing, but it has been determined that all have been injected with a rogue <script> element loading code from an http://nt02. co.in/ 3 address [intentionally malformed].
So far most of the affected websites also had clandestine files uploaded in their /images folder. These files are called inclasses.php, loadclasses.php or phpclasses.php. "If you are an osCommerce user, please make sure to update your installation (and check your sites) as soon as possible," Sucuri researcher David Dede, advises.
The company is still trying to determine how the attackers succeeded in compromising the websites, but an osCommerce Remote File Injection (RFI) vulnerability disclosed about a month ago, might be responsible. The bug is in "file_manager.php" and according to a SecurityFocus advisory, is the result of failure to properly sanitize user input.
osCommerce is notorious for extremely long wait times between releases. The latest stable version is 2.2 RC2a and has been released more than two and a half years ago, on January 30, 2008. However, there are a few measures webmasters can take to protect their websites.
Third-party addons can be installed to prevent injection or cross-site scripting attacks, monitor all files for unauthorized changes or manage IP block lists. The permission for all files should never be set higher than 644 and the vulnerable "file_manager.php" file should be deleted.
"It has long been known the filemanger is a security risk & should, nay MUST be removed, if used for editing your site it is likely to damage your files, so is a bad utility to keep anyway [...]. Its also been known its a possible hacking route & to make matters worse there now exists a very nasty hack that uses filemanger to gain access to your site ( dbase included!! )," a forum post detailing osCommerce security tips, reads.
You can follow the editor on Twitter @lconstantin