osCommerce 2.2 Websites Targeted by Mass Injection Attack, 143,000 Pages Hit
A mass injection attack reported three days ago by web application security provider Armorize targets open source eCommerce osCommerce 2.2 websites that have failed to upgrade to the most recent version and failed to implement security measures. While the report three days ago found 90,000 pages had been infected, a Google search today reported 143,000 pages containing the infected code.
The vicious attack is known as a "drive-by download" because no user interaction is required and there is no warning that the site has become infected. The attack exploits known vulnerabilities in Java, Adobe Reader, Internet Explorer and Windows XP.
osCommerce 2.2 store owners must immediately upgrade to osCommerce 2.3.1 and take some additional security steps. Some of these steps are technical and will likely require a technical pro to complete them for you. I've arranged them here in order from easiest to most difficult but they are all critical.
1 Start with a free site scan from a site like http://sitecheck.sucuri.net/scanner/ - be sure it is a reputable site and not a hacker posing as a good guy.
Next, in your osCommerce Admin:
2 Change your Admin password to a long, random password or pass phrase: a string of words and numbers that only you can remember.
3 Change your Admin username from "admin" to something not easily guessable. Or create a completely new Admin account and delete the original Admin.
These next few items can be done in your web host's Control Panel or cPanel, get a book on cPanel or ask your web host for help:
4 Back up your database and site files immediately if you have not already done so.
5 Check your site for proper "write permissions" on your files - no higher than 644 for most files, 755 for folders, and the lowest possible for configuation files: 644 444 or 400.
6 Remove File Manager from your osCommerce Admin (not the cPanel File Manager)
7 Remove Define Language from your osCommerce Admin
8 Set up a CHRON automatic scheduled backup for daily and weekly backups. Ask your web host for help.
9 Add HTACCESS protection. Ask your web host for help.
Ask your web host or technical pro to do these next items for you, and there are at least nominal fees involved:
10 Install SSL secure encryption on your website Administration and checkout.
11 Change the name of your Admin folder from "admin" so it is not easily guessable, and edit your two configuration files with the new name.
12 There are also a number of osCommerce Contributions you should consider for security -
Although the update path provided by the osCommerce core development team covers upgrading from v2.2 RC2a to v2.3.1 it does not cover any of the contributions that may have been added to the installation. Having said that, updates usually leave 'patched' websites unstable.
Suggesting that RC2a store owners update to v2.3.1 is not necessarily the best course of action. Cleaning infected website and securing them is less costly and more effective for most. The following Links will provide detailed instructions and proper osCommerce support to those that wish to secure their websites themselves.
osCommerce Community Forum Supporter
Kerry Watson says:
Thanks for pointing out the importance of checking contributions, Chris, that is indeed critical! They can easily be an entry point for viruses and they are not upgraded with the base program.
I can't possibly recommend that store owners use outdated software with known security holes, and it's complex enough that a technical pro should do it for store owners. If they do are skilled "do-it-yourselfers" and want to try, DIY'ers must use industry best practices to upgrade. That means setting up a copy of the online store, upgrading and testing the copy, then going live only after they are certain that the base program is stable and all contributions are working properly. ALWAYS START BY MAKING A BACKUP AND NEVER UPGRADE A LIVE STORE.