osCommerce has had known security issue for some time and we have seen websites that have been have exploited for some time as well. We have recently seen a spike in websites being exploited. The security issue, which has been known about since at least July of 2009, allows a hacker to add files to the website by exploiting a vulnerability in a file located in the admin directory. Some of the files added to the websites are backdoor scripts that allow the hacker to make modifications to the website. We have seen this vulnerability exploited by hackers to add malware, spam, and phishing pages to websites.
There is not fix for the issues and it does not appear that there the osCommerce developers are going to create one. While the best solution would be to move to software that addresses security issues, a workaround that will make it very hard for them to be exploited is to rename and password protect the admin directory. Most hacking attempts will attempt to exploit the vulnerability at the default admin directory location and will not look for the admin directory at another location. By password protecting the directory, the hacker would have to guess the username and password for the directory before being able to exploit the vulnerability. You will also need to update the /includes/configure.php file located in admin directory with the new admin directory name, after you have renamed the directory. You can read more about implementing this in a topic on the osCommerce forum. Another topic on the forum provides more information on securing osCommerce.