spandating.com Malware

Updated: October 8, 2010

The spandating.com Malware places malicious JavaScript into an osCommerce based website's web pages and JavaScript files that access malware located on spandating.com, alterparadigma.net, chilauter.ru, comboss.ru, carombolkas.ru, fendor.ru, or lispticks.ru. The domain register has suspended spandating.com so it is not currently infectious. We have contacted the hosting provider for alterparadigma.net, chilauter.ru, and comboss.ru to get them shut down. The malacious JavaScript is added to the website pages through a backdoor script that has been added to website. The backdoor script is added to website due vulnerability in osCommerce. There is not fix for the issues, a workaround that will make it very hard for it to be exploited is explained on the osCommerce Support Forum. To clean the website, the website needs to be reverted to a clean backup or the malicious code need to be removed from the web pages and JavaScript files. The backdoor script(s) also need to be removed to insure the website is not reinfected. There are two types of backdoor script that have been added to websites and both maybe located on the website. So far we have found the backdoor scripts located in the directory that osCommerce is installed in. The first type backdoor script, which is signifcantly smaller, has file name similar to goog1e3ebaa3179d98a0.php. The second type of backdoor script has a file name similar to google51ff92b39ffebb4e.php.

Recent Script Format On Web Pages:

First Type of Backdoor Script

Second Type of Backdoor Script


Related:

Resources