By

willysy.com infection of osCommerce sites

UPDATE August 6, 2011: The number of websites infected with this had risen to over 5 million. The prevention of this type of attack is really quite simple – and something we’ve been applying to clients websites for some time.

Currently 100,000+ osCommerce (and variations of osCommerce) pages have been infected with an iframe that points to: willysy(dot)com.

Our research finds these iframes in the title tags and at various img tag locations throughout the webpages which led us to look in the database.

willysy.com iframe injected near title tags

We see the code in the title tags at the top of the page, inserted as the description of the store logo, following the “images/store_logo.png” or “images/logo.gif” and other similar logo links. and also in the copyright section in many web pages:

Our suggestion is to export the entire database, download it to your local computer and search for any strings with “iframe” (no quotes) in them. A few of these iframe strings have been obfuscated, so also look for the string: document.write.

Other domains used in this attack are:

  • exero.eu
  • yandekapi.com

It’s certain that more will follow.

Our research indicates that most of these websites are osCommerce or an osCommerce related website. In 89% of the websites we investigated, they have left the admin folder unchanged, which means they have not followed the recommendation of renaming the admin folder. Since this is a simple process, I would tend to believe that they have not followed other security recommendations and left their websites open to an attack.

You may see entries in your log files like this:

XXX.XXX.XXX.XXX – – [08/Jul/2011:02:19:54 -0500] “GET /admin/configuration.php/login.php HTTP/1.1” 200 24492 “http://(domain removed)/admin/configuration.php/login.php” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)”

The key here is the “200” following the HTTP/1.1 string. This means the above GET request was successful.

This will be followed by:

GET /admin/configuration.php/login.php?gID=1&cID=1&action=edit HTTP/1.1″ 200 24835 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)”

and…

“POST /admin/configuration.php/login.php?gID=1&cID=1&action=save HTTP/1.1” 302 – “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)”

To prevent this, you should:

  1. Rename the admin folder to something that does not include the word ‘admin’
  2. Depending on what version of osCommerce you’re running, you should modify the code in application_top.php (2 files) to eliminate the $PHP_SELF
  3. You should disable define_language.php and file_manager.php
  4. Use various methods to prevent the configuration.php/login.php in the URL

You may also find additional users in your administrators table. Hackers have been adding these as well. Many of them will have their own email address as well so that a request to reset a password will go to them.

Various .php backdoors and some Perl shell scripts might be added to your website as well. The hackers have been using a variety of these in order to maintain control of the website.

First, make a backup of your database. Then after all these database entries have been found and removed, you’ll have to change the password to your database as they obviously know what it is and then import your database.

All of this needs to be cleaned up.

If you need help in cleaning this up, please send an email to support@wewatchyourwebsite.com or call me directly at (847)833-5666

By

com_avreloaded needs to be updated

Joomla plugin security alert!

According to the author of the Joomla plugin AllVideos Reloaded:

Security Alert
Attention!
A serious SQL injection vulnerability was just found in AllVideos Reloaded! A zero-day exploit already exists in the wild, which uses this vulnerability in order to steal your user-database!

All users of version 1.2.6 and below, update to version 1.2.7 immediately!

For those who want to keep their database of customized players/tags/rippers, use the package named com_avreloaded-1.2.7_SECUPDATE-WITHOUT-DB.zip and simply install it over the existing version using Joomla’s extension installer. All other users: Use the regular (full) installer package.

Please check your sites and if you’re using this plugin, please update immediately.

Have any other plugins you’re concerned with?

Post here with what they are and we’ll check them out for you.

By

WordPress plugin wp-phpmyadmin should be removed

If anyone reading this blog has wp-phpmyadmin installed on their site you should remove it immediately.

For the past 2 months we’ve been seeing more and more websites with this plugin being infected.

There is usually a file added: upgrade.php that is not part of the legitimate files and has various malicious code inside.

This plugin is no longer on the WordPress plugin repository as it has not been updated since 2007.

While a plugin like this might seem more convenient for database work than using your hosting provider’s control panel, it’s also more convenient for hackers.

We did a Google search on this and found that the majority of websites with this plugin, also don’t have any prevention for viewing the directory this is installed in.

This means that a hacker can click on “Parent Directory” and see all the plugins installed. While this isn’t a huge vulnerability, it’s so easy to prevent with a either a .htaccess file or an empty index.html file.

The less information a hacker knows about your website the better off you are.

What about you? Do you have this installed on your website? Are there other plugins you worry about? Leave a comment here and we’ll investigate it.

Need your website cleaned, protected and monitored? Send us an email: support@wewatchyourwebsite.com