Description: Code used to insert a malicious javascript on sites
using OsCommerce. Loads malware from:
http://khcol.com/page/?ref=aHR0cDovL2FtZXJpY2F....bWluLw==
nt02.co.in
nt002.cn
nt02.co.in
nt04.in
nt06.in
nt07.in
http://webarh.com/r.php
http://77.78.245.63/index.php
http://kirm-sky.ru
http://nt04.in
More details: http://blog.sucuri.net/2010/10/oscommerce-attacks-kirm-sky-ru.html
Most of the sites affected also had a few PHP files inserted inside the
/images folder, generally called inclasses.php or phpclasses.php.
Malware dump: