osCommerce v2.2 Website Infections

During the past 10 days we started seeing a number of websites using osCommerce v2.2 being infected.

The infection usually included some randomly named folder with a list of files in them. Some of the folder names we’ve seen include:

  • catalog
  • feeds
  • image
  • scripts
  • items
  • rss
  • inventory
  • visual

The names are common, but are randomly selected by the hacker infecting the website.

Inside the folder are various files, some .html some .php – all no good.

There is usually at least one file that starts with:

set_time_limit(9999999);

This file actually looks for files with one malscript already injected and replaces it with a newer malscript.

For instance, some of them look for:

hxxp://nt002.cn/E/J.JS

and replace it with:

hxxp://nt02.co.in/3

It appears to place these malscripts immediately after the closing body tag.

Frequently we’ve also found various backdoors (shell script) files.

These backdoors look for any .conf files (configuration files) especially from:

  • httpd.conf
  • vhosts.conf
  • proftpd.conf
  • psybnc.conf
  • my.conf
  • all .conf files
  • all. .pwd files
  • all .sql files
  • all .htpasswd files

Armed with this information, the attacker now has complete control over the website.

How to prevent this?

We’ve found a number of exploits available. One of them is a file disclosure vulnerability which means that the attacker can view files on the website.

One of the URLs follows this scheme:

hxxp>//[site]/[path]/admin/file_manager.php/login.php?action=download&filename=/include/configure.php

This particular URL would show the attacker the configure.php file. There is no patch, that we know of yet, that prevents this attack. The best advice we’ve seen is to rename the admin folder something obscure so the hackers can’t just scan your site with this URL and find the file_manager.php file.

Other exploits we’ve seen use the same basic URL but the action variable is set as follows:

admin/file_manager.php/login.php?action=save

Then a URL to a remote site that stores a backdoor shell script. This backdoor then gets saved to the website. All a hacker has to do is to access the URL:

hxxp://[site]/osCSS/[name of shell script backdoor].php

and they have remote access to the site.

Again, if the admin folder is renamed to something obscure, this attack won’t work. This type of protection is aptly named, “security by obscurity” because all you’re doing is hiding the folder from the attacker, but until an official patch is released, this seems to be the best advice.

If you’ve been attacked by this and have some further information, please post a comment or email me at: traef@wewatchyourwebsite.com

If you need help in cleaning this up and checking for all backdoors on your site, please contact me directly at: traef@wewatchyourwebsite.com