Daily cyber threats and internet security news: network security, online safety and latest security alerts
January 21st, 2010

Vulnerable osCommerce Websites Exploited To Distribute Scareware Through Blackhat Search Engine Optimization

Scareware distributors are hijacking vulnerable osCommerce websites in order to launch their blackhat SEO campaigns. The attacks leverage a publicly disclosed vulnerability and drop several rogue scripts on the compromised servers.

The vulnerability is known since at least August 31, 2009, when a working exploit was publicly released on Milw0rm. In a security advisory, published by vulnerability management company Secunia, the flaw is described as “an error in the authentication mechanism [which] can be exploited to bypass authentication checks and gain access to the administrative interface in the ‘/admin’ folder.”

According to a report from Unmask Parasites, upon successful exploitation, several rogue PHP scripts will be uploaded on the servers. These are mm.php, sh1.php, betty.php and lname.php.

The betty.php script has the purpose of generating bogus URLs of the form, which get indexed by search engines and poison search results for certain terms. The script also creates HTML landing pages and stores them in a “.cache” directory.

The lname.php script handles the redirection of visitors to the malicious sites that push fake antivirus programs. The scareware distributed through this campaign is fairly new and has a very low AV detection rate on VirusTotal.

Meanwhile, mm.php is used to upload files to the compromised server and sh1.php is a PHP Web shell. Finding any of these files on a Web server is a clear indication of infection. Unmask Parasites also points out that, “Google Webmaster Tools can help you detect this attack. Their ‘search queries’ report has also proven to reveal many other security problems, so it’s a good idea to use GWT at least once a week.”

The vulnerability has not yet been patched and affects the latest stable version of osCommerce, 2.2 RC2a. However, this attack can be prevented by restricting access to the /admin directory, through .htaccess or some other way. Renaming this directory and removing the abused file-manager.php script can also enhance the security of your osCommerce website.

Credit: News

Share this item with others:

More on CyberInsecure:
  • TweetMeme Hit By Malvertisement, Users Redirected To Fake Antivirus Pages
  • osCommerce Compromised Sites Distribute ZeuS Spin-off Trojan, Millions Of Pages Infected
  • Japanese Earthquake And Tsunami Searches Infect Users With Malware
  • Scareware Affiliates Manipulate Search Engines Resuts By Using Black-hat SEO Techniques
  • Google Doodle Poisoned By Rogue Anti-virus Scareware

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Vulnerable osCommerce Websites Exploited To Distribute Scareware Through Blackhat Search Engine Optimization

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.