Injected Malware Targets osCommerce Vulnerabilities
Not what you're looking for?
We want your feedback!
The folks at Armorize recently posted in their blog about a large-scale injection attack they estimate affects more than 90,000 websites. They discovered that attackers infect sites by injecting iframes — HTML tags that display other pages, or in this case malicious scripts.
It seems attackers are targeting osCommerce® sites, so we did some digging to learn more. Attackers are using known vulnerabilities in osCommerce 2.2 to update configuration settings and inject malware. Here’s an example:
188.8.131.52 - - [27/Jul/2011:08:51:48 -0700] "POST site.com/store/admin/configuration.php/login.php?cID=1&action=save HTTP/1.1" 302 5 "http://site.com/store/admin/configuration.php?cID=1&action=edit" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"
Notice the UserAgent String? It’s crafted by the attacker, not a real browser.
We found the IP 184.108.40.206 in the process of attacking sites on Go Daddy systems, so we know some of the attacks come from eastern Europe.
What is Go Daddy doing about this? We’ve cleaned databases infected with this malware, and we’re blocking attempts to exploit the vulnerability in osCommerce sites.
What should you do? Make sure you have v2.3.1 or v3.0.1 installed. If you used Hosting Connections to install, read Upgrading to a New Version of a Hosting Quick-Install Application to learn how to upgrade. If you installed osCommerce on your own, download updates from the osCommerce website: http://www.oscommerce.com/
Comments are closed.