14 DAY TRIAL // Scareware distributors are hijacking vulnerable osCommerce websites in order to launch their BHSEO campaigns. The attacks leverage a publicly disclosed vulnerability and drop several rogue scripts on the compromised servers.
The vulnerability is known since at least August 31, 2009, when a working exploit was publicly released on Milw0rm by a user calling himself Flyh4t. In a security advisory, published by vulnerability management company Secunia, the flaw is described as "an error in the authentication mechanism [which] can be exploited to bypass authentication checks and gain access to the administrative interface in the '/admin' folder."
According to a report from Unmask Parasites, upon successful exploitation, several rogue PHP scripts will be uploaded on the servers. These are mm.php, sh1.php, betty.php and lname.php.
The betty.php script has the purpose of generating bogus URLs of the form http://compromised_domain.com/bety.php?q=keywords, which get indexed by search engines and poison search results for certain terms. The script also creates HTML landing pages and stores them in a ".cache" directory.
The lname.php script handles the redirection of visitors to the malicious sites that push fake antivirus programs. The scareware distributed through this campaign is fairly new and has a very low AV detection rate on VirusTotal.
Meanwhile, mm.php is used to upload files to the compromised server and sh1.php is a PHP Web shell. Finding any of these files on a Web server is a clear indication of infection. Unmask Parasites also points out that, "Google Webmaster Tools can help you detect this attack. Their 'search queries' report has also proven to reveal many other security problems, so it’s a good idea to use GWT at least once a week."
Please note that this vulnerability has not yet been patched and affects the latest stable version of osCommerce, 2.2 RC2a. However, this attack can be prevented by restricting access to the /admin directory, through .htaccess or some other way. Renaming this directory and removing the abused file-manager.php script can also enhance the security of your osCommerce website.