msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Update on Htaccess Redirects of osCommerce Sites

   19 Nov 10   Filed in Short Attack Reviews

This is just a short update on the .htaccess redirect attack that I wrote about last month.

I can still see many sites (mainly osCommerce-powered) that redirect search traffic to malicious sites. However, the pattern of the redirect URLs has changed.

Previously, the pattern was: example.ru/dir/index.php

Currently, I see the following patterns: example.ru/in.cgi?N and example.tk/in.cgi?N,

where example is a random second-level domain in the .ru or .tk zone, and N is a random number.

Here are some examples of the redirect URLs:

  • hxxp://drevingjp .tk/in.cgi?4
  • hxxp://telmeyes .tk/in.cgi?5
  • hxxp://swebfri .tk/in.cgi?9
  • hxxp://beefrime .tk/in.cgi?3
  • hxxp://drevingjp .tk/in.cgi?4
  • hxxp://wensdayprice .tk/in.cgi
  • hxxp://ykimanoe .ru/in.cgi?8
  • hxxp://graphicstoremyil .ru/in.cgi?14
  • hxxp://jaobsofterty .ru/in.cgi?2
  • hxxp://softneratu .ru/in.cgi?3
  • hxxp://venfritel .ru/in.cgi?6
  • hxxp://hanoferisoft .ru/in.cgi?4
  • hxxp://vvsoftnice .ru/in.cgi?5
  • hxxp://bulofost .ru/in.cgi?3
  • hxxp://zandecluf .ru/in.cgi?3
  • hxxp://softuionmert .ru/in.cgi?3
  • hxxp://gharibola .ru/in.cgi?7
  • hxxp://13grandferi .ru/in.cgi?8
  • hxxp://landriver44 .ru/in.cgi?10
  • hxxp://softremait .ru/in.cgi?2
  • hxxp://llsoftbest .ru/in.cgi?
  • hxxp://villusoftreit .ru/in.cgi?
  • hxxp://zxsoftpromo .ru/in.cgi?5
  • hxxp://ewerysoftbase .ru/in.cgi?4
  • hxxp://lkjoiban .ru/in.cgi?10
  • hxxp://kisotan .ru/in.cgi?8
  • hxxp://digieyar .ru/in.cgi?12
  • hxxp://caxdermain .ru/in.cgi?11
  • hxxp://zkasbo .ru/in.cgi?13
  • hxxp://sofeqadro .ru/in.cgi?6
  • hxxp://softingbiker .ru/in.cgi?19
  • hxxp://zippmonstersoft .ru/in.cgi?18
  • hxxp://newsoftwareltd .ru/in.cgi?20
  • hxxp://lambostatus .ru/in.cgi?7
  • hxxp://focustemplate .ru/in.cgi?2
  • hxxp://htuniversss .ru/in.cgi?11

.ru domains point to the same IP: 91. 204 .48 .37 — S.point (Ukraine) and .tk domains have 3 A records:

wensdayprice .tk. 300 IN A 94.103.151.195 #Netherlands Dot Tk
wensdayprice .tk. 300 IN A 209.172.59.196 #Netherlands Taloha Inc
wensdayprice .tk. 300 IN A 217.119.57.22 #Netherlands Bv Dot Tk

The rest details about the attack can be found in my previous article – they are still valid. Just note, that the more I watch this this attack, the more I think it is really has to do with osCommerce vulnerabilities. So make sure to update it to the latest stable version and properly harden it.

Related posts:

Reader's Comments (7)

  1. |

    [...] Note that attacks against oscommerce and getting more common: http://blog.sucuri.net/?s=oscommerce, also here: http://blog.unmaskparasites.com/2010/11/19/update-on-htaccess-redirects-of-oscommerce-sites/ [...]

  2. |

    I have this issue too. OScommerence i think is located in momminusdad .com/ store. I found the .htaccess file in the root directory and cleared it but it still redirects the traffic. am i missing something?

    • |

      Probably there is one more .htaccess with the conditional redirect one level above the root

  3. |

    Thanks again for your help. Please do make an update if you get any intelligence from other Go Daddy clients who have deleted their entire site’s folder and yet still have the issue above the root (beyond individual site owner’s delete/edit/access permissions).

  4. |

    Hi,

    Can you tell me how I would fix the htaccess file that has been altered when it is above the root?

    I have reuploaded my site with a known clean config but still get a redirect when accessing my site via google/yahoo etc

    So it leaves me to think it is the above problem

    Thanks for the site and help!

  5. |

    Thankyou!

    I didn’t even realise there were files above the root.

    That has worked!