By

willysy.com infection of osCommerce sites

UPDATE August 6, 2011: The number of websites infected with this had risen to over 5 million. The prevention of this type of attack is really quite simple – and something we’ve been applying to clients websites for some time.

Currently 100,000+ osCommerce (and variations of osCommerce) pages have been infected with an iframe that points to: willysy(dot)com.

Our research finds these iframes in the title tags and at various img tag locations throughout the webpages which led us to look in the database.

willysy.com iframe injected near title tags

We see the code in the title tags at the top of the page, inserted as the description of the store logo, following the “images/store_logo.png” or “images/logo.gif” and other similar logo links. and also in the copyright section in many web pages:

Our suggestion is to export the entire database, download it to your local computer and search for any strings with “iframe” (no quotes) in them. A few of these iframe strings have been obfuscated, so also look for the string: document.write.

Other domains used in this attack are:

  • exero.eu
  • yandekapi.com

It’s certain that more will follow.

Our research indicates that most of these websites are osCommerce or an osCommerce related website. In 89% of the websites we investigated, they have left the admin folder unchanged, which means they have not followed the recommendation of renaming the admin folder. Since this is a simple process, I would tend to believe that they have not followed other security recommendations and left their websites open to an attack.

You may see entries in your log files like this:

XXX.XXX.XXX.XXX – – [08/Jul/2011:02:19:54 -0500] “GET /admin/configuration.php/login.php HTTP/1.1” 200 24492 “http://(domain removed)/admin/configuration.php/login.php” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)”

The key here is the “200” following the HTTP/1.1 string. This means the above GET request was successful.

This will be followed by:

GET /admin/configuration.php/login.php?gID=1&cID=1&action=edit HTTP/1.1″ 200 24835 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)”

and…

“POST /admin/configuration.php/login.php?gID=1&cID=1&action=save HTTP/1.1” 302 – “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)”

To prevent this, you should:

  1. Rename the admin folder to something that does not include the word ‘admin’
  2. Depending on what version of osCommerce you’re running, you should modify the code in application_top.php (2 files) to eliminate the $PHP_SELF
  3. You should disable define_language.php and file_manager.php
  4. Use various methods to prevent the configuration.php/login.php in the URL

You may also find additional users in your administrators table. Hackers have been adding these as well. Many of them will have their own email address as well so that a request to reset a password will go to them.

Various .php backdoors and some Perl shell scripts might be added to your website as well. The hackers have been using a variety of these in order to maintain control of the website.

First, make a backup of your database. Then after all these database entries have been found and removed, you’ll have to change the password to your database as they obviously know what it is and then import your database.

All of this needs to be cleaned up.

If you need help in cleaning this up, please send an email to support@wewatchyourwebsite.com or call me directly at (847)833-5666

By

osCommerce v2.2 Website Infections

During the past 10 days we started seeing a number of websites using osCommerce v2.2 being infected.

The infection usually included some randomly named folder with a list of files in them. Some of the folder names we’ve seen include:

  • catalog
  • feeds
  • image
  • scripts
  • items
  • rss
  • inventory
  • visual

The names are common, but are randomly selected by the hacker infecting the website.

Inside the folder are various files, some .html some .php – all no good.

There is usually at least one file that starts with:

set_time_limit(9999999);

This file actually looks for files with one malscript already injected and replaces it with a newer malscript.

For instance, some of them look for:

hxxp://nt002.cn/E/J.JS

and replace it with:

hxxp://nt02.co.in/3

It appears to place these malscripts immediately after the closing body tag.

Frequently we’ve also found various backdoors (shell script) files.

These backdoors look for any .conf files (configuration files) especially from:

  • httpd.conf
  • vhosts.conf
  • proftpd.conf
  • psybnc.conf
  • my.conf
  • all .conf files
  • all. .pwd files
  • all .sql files
  • all .htpasswd files

Armed with this information, the attacker now has complete control over the website.

How to prevent this?

We’ve found a number of exploits available. One of them is a file disclosure vulnerability which means that the attacker can view files on the website.

One of the URLs follows this scheme:

hxxp>//[site]/[path]/admin/file_manager.php/login.php?action=download&filename=/include/configure.php

This particular URL would show the attacker the configure.php file. There is no patch, that we know of yet, that prevents this attack. The best advice we’ve seen is to rename the admin folder something obscure so the hackers can’t just scan your site with this URL and find the file_manager.php file.

Other exploits we’ve seen use the same basic URL but the action variable is set as follows:

admin/file_manager.php/login.php?action=save

Then a URL to a remote site that stores a backdoor shell script. This backdoor then gets saved to the website. All a hacker has to do is to access the URL:

hxxp://[site]/osCSS/[name of shell script backdoor].php

and they have remote access to the site.

Again, if the admin folder is renamed to something obscure, this attack won’t work. This type of protection is aptly named, “security by obscurity” because all you’re doing is hiding the folder from the attacker, but until an official patch is released, this seems to be the best advice.

If you’ve been attacked by this and have some further information, please post a comment or email me at: traef@wewatchyourwebsite.com

If you need help in cleaning this up and checking for all backdoors on your site, please contact me directly at: traef@wewatchyourwebsite.com