c4412d2ffc4bf832.info Zen Cart Spam Hack

August 9, 2010

The c4412d2ffc4bf832.info Zen Cart spam hack adds spam links to web pages of Zen Cart based websites when the crawler for a search engine requests the page. When a web page is served to a web browser the content is not included, this is referred to as cloaking. There are a number of ways to view those cloaked spam links.

These links are added to the web pages due to an obfuscated PHP script that is located at the bottom of the application_bottom.php file, located in the includes directory of the Zen Cart installation. This PHP script is added to the file using a vulnerability in Zen Cart installations which are not up to date with security patches. The PHP script attempts to request a file from c4412d2ffc4bf832.info, dbe93fa37d468233.info, 0158f6a8e1af3aea.info, 2d54f960825693c4.info, 06721ee8cf8f6ce1.info, 2088d58723338a2f.info, af946e7ce9f0975d.info, and 78551c70995a457e.info. Currently only the first three domains names have been registered. Only c4412d2ffc4bf832.info is currently active. We got the hosting provider for dbe93fa37d468233.info to shut off the service for the website and 0158f6a8e1af3aea.info was hosted by company that was shut down by the US government.

Example PHP Script Placed on application_bottom.php

Unobfucated PHP Script