The Security Step Every osCommerce Website Needs To Take Now

osCommerce has had known security issue for some time and we have seen websites that have been have exploited  for some time as well. We have recently seen a spike in websites being exploited. The security issue, which has been known about since at least July of 2009, allows a hacker to add files to the website by exploiting a vulnerability in a file located in the admin directory. Some of the files added to the websites are backdoor scripts that allow the hacker to make modifications to the website. We have seen this vulnerability exploited by hackers to add malware, spam, and phishing pages to websites.

There is not fix for the issues and it does not appear that there the osCommerce developers are going to create one. While the best solution would be to move to software that addresses security issues, a workaround that will make it very hard for them to be exploited is to rename and password protect the admin directory. Most hacking attempts will attempt to exploit the vulnerability at the default admin directory location and will not look for the admin directory at another location. By password protecting the directory, the hacker would have to guess the username and password for the directory before being able to exploit the vulnerability. You will also need to update the /includes/configure.php file located in admin directory with the new admin directory name, after you have renamed the directory. You can read more about implementing this in a topic on the osCommerce forum. Another topic on the forum provides more information on securing osCommerce.

Google Continues To Index Pages From SEO Poisoning Campaign

Google continues to include in its search index, pages from a major SEO poisoning campaign. SEO poisoning involves getting web pages listed in search engines that when accessed attempt to infect the computer with malware. We have repeatedly reported a listing of pages used by this campaign, that is available at http://www.getalllinks.info/links/0.txt, to Google using their page for reporting a malware page over a period of several months.  Google has continued to list these pages in its index leading to an unknown, but possibly large number of computers to become infected with malware . These page have also not been flagged as being malicious by Google’s Safe Browsing system during the period when they are most likely to be infect users computers.

Our recent experience has shown that public releasing the information get Google to respond, while there reporting mechanisms get ignored. We recently posted about Google providing hosting for files used in attempted hackings, after having reporting using their mechanism multiple times without any action being taken Google disabled the account the day after our posting.

Other companies have allowed this SEO poisoning campaign to continue, including The Planet who provides hosting for a critical component of the campaign.

Google Sites Hosts Files Used In Attempted Hackings

Since June, Google has provided hosting for files used in attempted hackings of websites through an account with their Google Sites services. A listing of all the files hosted is available at http://sites.google.com/site/nurhayatisatu/system/app/pages/recentChanges?offset=25. Some of those files are used in remote files inclusion (RFI) attacks which seek exploit vulnerabilities in software that allow remotely hosted files to be be executed. If the attacks are successful modifications are made to website that place spam or malware on the website, or allows the hacker remote access to the website. Attempting hackings utilizing these files have occurred at least as recently as three days ago. We have reported this to Google using the “Report Abuse” link multiple times but the files have continued to remain up.

OpenX Continues To Release Updates Without Details of Changes

OpenX has released a 2.8.7 which patches a vulnerability that could cause OpenX to be compromised. Previous vulnerabilities have led to numerous OpenX installations to be hacked and infected with malware. No detail has been given on what the vulnerability was or what, if any, other changes were made in this release. The new version does include an updated version of openXVideoAds plugin that patches a vulnerability in an earlier version. Without knowing what the issue or issues that were fixed makes it hard to determine the source of a hacking, potentially leading to new vulnerabilities that are exploited in OpenX going undiagnosed in the future if the OpenX installation hacked was running an out of date version.

OpenX lack of details of changes began with version 2.8.4, which was released in January of 2010. Beginning with that release the only information on changes that have been made is a link to https://developer.openx.org. The information about releases in this section of the website  are not complete. The listing for Version 2.8.6 list only one item that was fixed, it does not indicate that a fix for a “potentially serious SQL injection vulnerability” and bug that caused advertisers to disappear were also patched in the update. The listing for 2.8.7 only lists 13 unresolved issues.

The Planet Hosts Critical Component of SEO Poisoning Campaign

The Planet, a large US hosting provider, provides hosting for two websites that are critical for a major SEO poisoning campaign. SEO poisoning involves getting web pages listed in search engines that when accessed attempt to infect the computer with malware. This particular campaign involves two sets of hacked websites and the websites hosted by The Planet. The first set of websites has been hacked to display the content from a file requested from either getalllinks.info or dvc44ftgr.com when a page from the hacked website is requested by a search engine. The files from getalllinks.info and dvc44ftgr.com, hosted by The Planet at the IP address 174.133.193.218, include links to pages on the second set of hacked websites. The content of those files can be seen at http://www.getalllinks.info/links/0.txt or http://www.dvc44ftgr.com/links/0.txt. Search engines crawl those pages on the second set of hacked websites and they get included in search engines results.  When people access the pages through search engines they are redirected to fake anti-virus scanner that attempts to infect their computers with malware. Without the two domains hosted by The Planet the pages on the second set of websites are never crawled and never get included in the search results where the could be accessed by users.

We twice contacted The Planet about the issue and in both cases they took no action. The first time they claimed the issue had been already been resolved and the second time they claimed they could not find anything. We did not receive the same response when we contacted another provided who had been providing service for one of the domains. EveryDNS, which had been providing DNS service for getalllinks.info, shut off the service a day after we contacted them. Two weeks later the domain became active again after the domain starting using DNS service hosted on the same server at The Planet.

Go Daddy Admits to Not Knowing Source of Malware Infections

For Several weeks Go Daddy has been blaming the bibzopl.com malware, that has been infecting some Go Daddy hosted websites since February, on users running either outdated versions of WordPress or outdated versions of software installation in general. These are both not true as the malware has infected websites running up to date software and websites not running any web software, which we and others have been telling Go Daddy. In a topic, in Go Daddy’s Community Forums, about the code that is causing the website’s files to become infected a Go Daddy employee using the username ScottG said they are “currently working on determining the source of the file”. The employee also claimed that Go Daddy had been aware of the code. It was nearly two weeks ago that they had claimed they had determined source of the infections. No explanation was given why they previously claimed that they had determined the source of the infections and why they have not admitted that their previous information was wrong.  The employee also said that they are having to get help from other hosting provider to secure their own systems.

Here is Go Daddy’s employee entire post:

This is information that we have been aware of and are currently working on determining the source of the file. This is not an issue that is localized to Go Daddy. Several other hosting companies are seeing this same attack and we are working with them to determine the source of the attacks and the best way to mitigate them.

Go Daddy Continues PR Campaign Instead of Fixing Security Issue

Early this morning a new variant of the bibzopl.com malware, this variant calls a JavaScript file from holasionweb.com, infected a large number of Go Daddy hosted websites. By this morning their PR department had already contacted us again, with continued misinformation about the issue. If they eventually decide to work on discovering and fixing the underlying security  issue, instead of running a PR campaign that claims they are secure, the websites would stop getting reinfected.

Go Daddy continues to claim, when not claiming the issue is due to outdated WordPress installations, that this malware is due to “Individuals running outdated applications and software”. As we have posted before , and Go Daddy is well aware of, the malware has infected websites running up to date software and websites not running software.

If you are Go Daddy customer who has been infected and is running updated software, we would be interested to know what response you have received from Go Daddy about this issue.

Go Daddy Again Blames Malware on Outdated WordPress Installations

In an interview Tuesday, Go Daddy’s Chief Information Security Officer Todd Redfoot claimed that the bibzopl.com malware that has been infecting some Go Daddy hosted websites was due users with outdated versions of WordPress installed in their account, which were exploited. Last Friday Go Daddy made the same claim, but by Monday they were claiming that issue was with users running outdated software, not just WordPress. In our contact with them they made they stated that it was not WordPress specific. There was no explanation for the most recent change in the claimed source of the infections.

The malware has infected websites and accounts that did not contain WordPress installations, and websites and accounts that only had WordPress installations running the latest version. There is no reason they should be unaware of this because they claimed to have “scanned our 4M hosted sites to identify sites impacted”, we have mentioned this information in our contact with them, their clients who do not have WordPress installations have been contacting them about the malware, and there are many comments on the Internet from their clients who do not have WordPress installations.

Mr. Reedfoot also stated that Go Daddy first spotted the “attack” on May 1, but the malware infections actually began in February and began to infect a large number of websites in April.

Go Daddy’s continued attempts to deflect the blame for issues within their own systems will not solve the issue. If they do not discover the actual underlying issue and fix it, websites could be reinfected with malware.

Clearing Up Misinformation About Go Daddy’s Malware Issue

Go Daddy has released another statement about the bibzopl.com malware that has been infecting some Go Daddy hosted websites. The most recent statement continues their misinformation about the issue, while claiming that they are a “target for speculation and misinformation”

The largest piece of misinformation is that the cause of the malware is outdated software whether WordPress, as Go Daddy first blamed, or other software. The malware has infected websites running up to date software and websites not running any web software. As we have explained, since February, the malware infects files with the php extension. Many pieces of web software use the .php files, possibly leading to Go Daddy’s most recent inaccurate identification of the issue.

In their most recent statement Go Daddy claimed “both the prevention and the cure not under ” their control, which is not true. The cause of the infection is due an issue within Go Daddy’s systems. They are the only ones that can discover and fix the issue.

There has also been misinformation that the malware has infected websites not hosted on Go Daddy. What seems to be causing confusion is that some people are unaware that there are many different hacks and pieces of malware out there, and they are not all related. The binglblats.com malware, that has been infecting Network Solutions hosted websites due to security issues they have,which has been claimed to the same is unrelated. The vast majority of hacks and malware are due passwords compromised due to password stealing malware on computers, outdated software, SQL injections, and other issues that have nothing to do with hosting providers. This malware has only infected Go Daddy hosted websites.

Here is Go Daddy’s entire statement:

Go Daddy Cares! Here’s some info…

We do take our position as an Internet leader seriously, especially when it comes to security. This is why we are going the extra mile to get the word out. We appreciate your invitation to answer the question, ‘What is Go Daddy doing to help?’

As the world’s #1 Web host provider, Go Daddy is a logical target for speculation and misinformation. With this exploitation issue, both the prevention and the cure are not under our control — because the customer decides whether to update the software they run. (If you think about it, it’s like forgetting to lock your car and blaming the auto manufacturer when your car is stolen.) Our job is to help identify issues and inform our customers about how they can protect their sites.

This is why we are working to proactively communicate and educate Internet users about this situation.

Here are a few of the initiatives we have going right now.

As a service to our customers and all Internet users:

  • Go Daddy scanned our 4M hosted sites to identify sites impacted (we did this immediately upon learning about the issue last week, and again over the weekend).
  • Contacting Go Daddy customers impacted by phone and/or email to let them know how to protect their sites (in some cases, we’ve alerted them even before they realize they are impacted).
  • Go Daddy is also taking the leadership role with educational communication — posting Help Articles to our Community & Customer Service pages to provide “1,2,3 Info” on how to properly update software.

    We’ll update the Help Articles as needed and also be posting another Help Article with actual illustrations/screen shots to make the security update process easy for even the most remedial of Web users to follow.

Phil Stuart
Go Daddy Communications

Go Daddy Changes Statement After Websites Reinfected

On Friday, Go Daddy released a statement that claimed that “extensive investigation” they had determined that bibzopl.com malware that has been infecting some Go Daddy hosted websites was due to users running an outdated version of WordPress that had been “set up in a particular way”. In our post about the statement, we explained why this was inaccurate and warned that if the actual underlying issue was not discovered and fixed websites could again be infected with malware. Early on Saturday the websites were reinfected, this time the malware calls a JavaScript file from kdjkfjskdfjlskdjf.com.

By this morning Go Daddy had amended their statement. They have removed the claim to having performed an “extensive investigation” into the issue. The have also removed the claim that the malware is WordPress specific, simply blaming the infections on the use “outdated software”. This claim is inaccurate as it has infected websites running up to date software and websites not running software. As we have explained since February the malware infects files with the php extension. Many pieces of web software use the .php files, possibly leading to Go Daddy’s most recent inaccurate identification of the issue. Again, if the actual underlying issue is not discovered and fixed websites could be reinfected with malware.

Here is Go Daddy’s amended entire statement:

If you are experiencing difficulties with your site, you may be using outdated software and unknowingly hosting malware.

For easy-to-understand information on how to remove the malware and update your software, please click on our Help Article.

If you use Hosting Connection, automatically update WordPress to version 2.9.2 using the simple 3-step update offered when you log-in.

And, while we’re on the topic of Web security and Best Practices – be sure all your online passwords are unique, secure and in a safe place.