The Tech Herald

osCommerce-based mass injection now 3.79 million pages strong

by Steve Ragan - Aug 1 2011, 13:45

A mass injection attack, targeting insecure and under patched installations of osCommerce, has impacted more than 3 million pages on the Internet. The latest figures come from security vendor Armorize, who has been following the situation since it started.

According to Armorize, as of July 31, there are more than 3.4 million pages infected with an embedded Iframe pointed to willysy.com. An additional 386,000 pages are infected with an Iframe pointed to exero.eu. All of the infected pages have one thing in common, osCommerce.

If you use a webhost that offers cPanel, osCommerce is one of the many scripts that can be installed with the click of a button. However, while the ecommerce software is popular for small business owners, unless it is maintained, itís often exploited by drive-by attackers. Sadly, many installations of osCommerce are left abandoned, often due to problems with design or configurations, assuming the domain owner simply didnít just lose interest. When this happens, all of those domains are easy pickings to an attacker or their scripts.

There are three vulnerabilities being leveraged in the attacks on osCommerce-driven sites, one disclosed on July 10, another last May, and the final one in May 2010. Once a vulnerability is exploited, malicious Iframes are injected into the siteís code, and in some cases the attackers will upload shell scripts to the domain. The shell scripts allow attackers greater access to the site and the server it is hosted on.

Previously, while researching BlackHat SEO scripts, The Tech Herald discovered several sites with osCommerce installations rooted by similar shell scripts. Itís a common tactic and can be automated in many cases.

Once the site has been compromised, the Iframes themselves will direct visitors to another domain, which pulls data from a third domain, containing yet another Iframe that redirects the victim to a fifth site.

Once the fifth site is loaded, it attempts to leverage one of five browser vulnerabilities in order to infect the system with Malware. The process takes seconds to complete.

Armorize says that scanning logs for the IPs 178.217.163.33, 178.217.165.111, 178.217.165.71, and/or 178.217.163.214 will be the first sign of detecting an infection on a given domain or server.

After that, the infected pages will need to be scrubbed of the injected code. In some cases, especially if the osCommerce installation is not needed or new, it is better to delete everything and start over. However, once cleaned, the osCommerce installation should be checked for updates and properly hardened. Also, it is often a better bet to manually install the software, and avoid one-click installations.

In formation on hardening osCommerce is here. The Armorize report on the attacks can be viewed here.


 

Around the Web

Comment on this Story

comments powered by Disqus

From Autosaur.com

Chevrolet shows off the 2015 Colorado with digital experience

Chevrolet has launched a new website to show buyers all the bells and whistles available on ...

Mazda to debut CX-3 and MX-5 at Los Angeles Auto Show

Mazda has announced plans to premiere the new Mazda CX 3, its new compact crossover SUV, at ...

Ford issues safety recall for 204,448 Ford Edge and Lincoln MKX

Ford has issued a safety recall for 204,448 of the 2007-2008 Ford Edge and Lincoln MKX in No...

Mopar Previews SEMA Custom Rides

We have added a set of pictures released by Mopar ahead of the SEMA Show. Mopar are bri...

Audi R8 Competition ‚Äď The Most Powerful Production Audi Ever

Audi has revealed details of their new super-fast Audi R8 Competititon ‚ÄĒ the most powerful a...