^Ron^ Posted July 30, 2011 Share Posted July 30, 2011 July 28, 2011 12:03 PM ET About 100,000 Web pages for e-commerce sites based on the open source OS Commerce software have been compromised with malware through a mass iFrame injection attack, according to security firm Armorize. The ongoing mass-injection attacks appear to be carried out from Ukraine against the e-commerce sites. The sites that are successfully attacked are compromised with malware which is then used to try and attack visitors to these e-commerce sites, said Wayne Huang, chief technology officer at Armorize. While attacks across the Web are not uncommon, Huang says this one is notable because it's a mass-injection type of attack that's reminiscent of attacks that were carried out about three years ago in high frequency but are not as common today. The attackers "may be leveraging a known vulnerability" in the open-source software, Huang says, adding that attackers tend to lurk and watch for any information that's shared publicly about newly found vulnerabilities in software. He notes that OS Commerce open source is a popular foundation for an e-commerce site which is then given a different "look and feel" through various templates that are typically sold. He notes that some of the customization this brings may be hard to upgrade because it is sometimes "hardcoded." According to its website, the OS Commerce open source group counts 249,500 store owners as using its Online Merchant software, which is available for free under the GNU General Public License. There was no immediate response to questions emailed to OS Commerce. Source: Networkworld Link to comment Share on other sites More sharing options...
♥toyicebear Posted July 30, 2011 Share Posted July 30, 2011 Which again just shows the importance of eighter upgrading the osCommerce version used to the latest or to take steps to secure the version used. Basics for osC 2.2 Design - Basics for Design V2.3+ - Seo & Sef Url's - Meta Tags for Your osC Shop - Steps to prevent Fraud... - MS3 and Team News... - SEO, Meta Tags, SEF Urls and osCommerce - Commercial Support Inquiries - OSC 2.3+ How To To see what more i can do for you check out my profile [click here] Link to comment Share on other sites More sharing options...
Guest Posted July 30, 2011 Share Posted July 30, 2011 If those numbers are accurate there should be a flood of store owners coming in looking for virus removal services. So far, it's been pretty quiet here. Chris Link to comment Share on other sites More sharing options...
Taipo Posted July 30, 2011 Share Posted July 30, 2011 To put 100,000 in perspective, I have done a few cleanups myself of others websites that have been infected where every single php, js and html file had an iframe of some form in them. These sites had on average, 5000 files affected in each of them, so on those stats alone, 98000 pages becomes 20 websites...yeah, a big whoopdishite! The point is that its not uncommon for unpatched websites to become targets of mass distribution iframe hacks. Wordpress, Joomla, phpBB, XMB and many others have all suffered the same issues. The ongoing nature of the attacks can be attributed to two things. Users not patching their sites with the latest code or bug fixes, and web hosts continuing to distribute unpatched versions of applications via their automatic install processes in the control panels they give out to their clients. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Jan Zonjee Posted July 30, 2011 Share Posted July 30, 2011 This blog has some more information although the attack path is not mentioned. I have seen a suggestion they go through admin/configuration.php Of course renaming your admin directory and especially adding .htaccess protection would have most likely protected these stores from getting attacked. Link to comment Share on other sites More sharing options...
Taipo Posted July 30, 2011 Share Posted July 30, 2011 The method of inserting the iframe is no different than any of the other types of attacks that have been levelled at the older versions of osCommerce. They are exploiting the admin bypass vulnerability to upload files into vulnerable directories, those files are then used to either append the iframe code in plain form or obsfuscated to script writable files within the site directories, or in some cases appending code to htaccess files using the php_value auto_append_file to auto append iframe code to every file in the website. The attack is more affective on sites whose servers run their script as having ownership permissions where PHP is allowed to write to any file with permissions higher than 444, but is also affective on the standard configuration where PHP has group permissions and can write to files with write permissions like language files etc. This attack cannot be carried out on a correctly patched osCommerce system or on version 2.3.1 - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
sucuri Posted August 2, 2011 Share Posted August 2, 2011 Just a note that they updated the domains being used in the attack, now using 1see.ir/j/. Most of the times, by just renaming the admin directory and doing some basic hardening you can avoid these attacks. We posted a small update about it here: http://sucuri.net/malware/malware-entry-mwjs1241 (that's how it is detected by our scanner, which anyone can use to check their sites - http://sitecheck.sucuri.net). thanks, Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.