PHP-Nuke Hacked with Injected iframe

PHP-Nuke, a popular web based portal and content management solution written in PHP has been criticized in the past for the slew of security vulnerabilities affecting its platform.  Today, the main PHP-Nuke website has been, well, nuked.  A malicious iframe has been injected into the main site (still active) and like the previous attack on the US Treasury Website, this campaign also uses the Eleonore exploit pack to distribute the malware.

Upon visiting the main PHP-Nuke website (still active), the iframe redirects through a series of exploit attempts, which include Adobe Collab overflow, getIcon, and doc.media.newPlayer vulnerabilities.

malicious iframe redirector - php-nuke

malicious iframe redirector – php-nuke

After the initial iframe redirection, the second iframe redirection starts and statistics servers (hosted in Russia) are accessed.

second stage iframe redirection/statistic collection

second stage iframe redirection/statistic collection

After the second stage is completed, the third stage starts and the exploitation attempts begin.

3rd stage - obfuscated code - exploitation attempts

3rd stage – obfuscated code – exploitation attempts

If the various exploit attempts are successful, the CI.A Trojan is executed on the victims computer.

Lately, we’ve noticed an uptick in usage of the Eleonore exploit kit and judging from the site variable in the URL (E.g. site=phpnuke.org), we’re guessing that this isn’t the only site they are targeting in this attack.

Related News

8 Responses

Leave a Reply
  1. Ernesto Martín
    May 08, 2010 - 10:26 AM

    This is at least the second time it happened to them in a few months. I alerted them at the beginning of this year for exactly the same problem.

    Reply
  2. a Man
    May 16, 2010 - 03:42 PM

    PHP nuke is the most vulnerable CMS in the world, and this isn’t unbelievable….

    Reply

Trackbacks/Pingbacks

  1. PHP-Nuke Hacked with Injected iframe | Enhanced Computer Network Defence
  2. What does PHP stand for? Probable Hacked Page?
  3. What does PHP stand for? Probable Hacked Page? - VirusDB.INFO
  4. | Hack In The Box
  5. PHP-Nuke Hacked with Injected iframe | Enhanced Computer Network Defence
  6. What does PHP stand for? Probable Hacked Page? | Naked Security

Leave a Reply

Your email address will not be published. Required fields are marked *

COPYRIGHT 2014 PANDA SECURITY