HKCert
  

Mass Injection Attacks Targeting osCommerce Vulnerabilities

Release Date: 02 / 08 / 2011
Last Update: 12 / 08 / 2011
Criticality Level:  


Multiple vulnerabilities have been identified in osCommerce application, which can be exploited by hackers to inject malicious content in vulnerable osCommerce websites.

 

A large scale injection attack targeting osCommerce websites is reported.  Injected "<iframe>" and "<script>" pointing to malicious links will infect computers via various exploits.  This attack leverages several osCommerce vulnerabilities including

  • osCommerce Remote Edit Site Info Vulnerability [disclosed 10 July 2011]
  • osCommerce 2.3.1 (banner_manager.php) Remote File Upload Vulnerability [disclosed 14 May 2011]
  • osCommerce Online Merchant v2.2 File Disclosure And Admin ByPass Vulnerability [disclosed 30 May 2010]
  • Remote Code Execution
  • osCommerce Online Merchant v2.x
  • osCommerce Online Merchant v3.x

For web administrators,

  • Detection
    1. Under the following circumstances, your servers may have been injected / infected
      • Search server logs for
        • access from IPs: 178.217.163.33 , 178.217.165.111 , 178.217.165.71 ,178.217.163.214
        • and access with agent string:  Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)
      • Search your site for the existence of <iframe> or <script> tags with links pointing to
        • hxxp :// willysy . com / images / banners /
        • hxxp :// exero . eu / catalog / jquery . js
        • hxxp :// tiasissi . com . br / revendedores / jquery /
        • hxxp :// adorabletots . co . uk / tmp / js . php
        • This list may change as attacks alter their malware hosting.  Please inform us if you find other suspicious scripts.
  • Recovery
    1. Find and remove the infected backdoors
    2. Find and remove the injected iframes / scripts

 

For end-users,

  • Maintain security patch and security software updated, turning on personal firewall, and staying cautious.
  • Beware of security warnings from browsers or security software.  Do not visit any unsolicited websites or disable Javascript in browsers.