New Injection Attack Hits osCommerce Sites

Security researchers report that a new mass injection attack is targeting vulnerable osCommerce websites and hijacks them for black hat search engine optimization (BHSEO) purposes.

Black hat SEO is the practice of poisoning search results for particular keywords with links that redirect users to malicious websites.

This technique is usually used to distribute rogue antivirus (scareware) programs and the the attackers constantly monitor the Google trends for new keywords to target.

This latest mass injection attack transforms the affected osCommerce websites into rogue BHSEO redirectors.

According to Web integrity monitoring vendor Sucuri Security, who's scanners detected the compromises, the attackers are probably exploiting a well known vulnerability in the file_manager.php file.

This old utility is not only vulnerable, but also broken and using it can result in corrupted files. Current osCommerce security best practices strongly recommend its removal.

A compromise resulting from this attack manifests itself in several ways. First of all, two PHP backdoors are added as /js/conf.php and /flops.php. They can be used to upload arbitrary files to the server.

Then, the includes/application_bottom.php file is filled with the keywords, which will cause that website to appear in search results for those terms.

Finally, the attackers edit the .htaccess file and add rules to redirect visitors coming from Google, Yahoo! or Ask to one of their malicious websites.

Kirm-ar.ru, kirmar.ru, classwoods.ru, enterteiment-wizrd.ru, class-woods.ru, relax-july.ru, ar-kirm.ru, enterteimentwizrd.ru, tecros.ru, tutaanti.ru, kirm-sky.ru, sky-ar.ru, devisionnetwork.ru and voice-nano.ru, are some of the rogue domains used.

All of them are hosted on 91.204.48.37, which is part of AS24965 (SPOINT). According to Google's Safe Browsing service, this network hosted 230 sites, that infected 3,634 others, during the past 90 days.

However, this is just what Google's systems detected and the scope of the infection is probably larger. Kirm-sky.ru alone infected almost 700 domains.

"If you are an osCommerce user, make sure to update it asap and check if to see if it’s been infected (also remove the file_manager.php from the admin directory)," David Dede, a researcher at Sucuri, advises.