PHP-Nuke, a popular web based portal and content management solution written in PHP has been criticized in the past for the slew of security vulnerabilities affecting its platform.  Today, the main PHP-Nuke website has been, well, nuked.  A malicious iframe has been injected into the main site (still active) and like the previous attack on the US Treasury Website, this campaign also uses the Eleonore exploit pack to distribute the malware.

Upon visiting the main PHP-Nuke website (still active), the iframe redirects through a series of exploit attempts, which include Adobe Collab overflow, getIcon, and doc.media.newPlayer vulnerabilities.

malicious iframe redirector - php-nuke
malicious iframe redirector – php-nuke

After the initial iframe redirection, the second iframe redirection starts and statistics servers (hosted in Russia) are accessed.

second stage iframe redirection/statistic collection
second stage iframe redirection/statistic collection

After the second stage is completed, the third stage starts and the exploitation attempts begin.

3rd stage - obfuscated code - exploitation attempts
3rd stage – obfuscated code – exploitation attempts

If the various exploit attempts are successful, the CI.A Trojan is executed on the victims computer.

Lately, we’ve noticed an uptick in usage of the Eleonore exploit kit and judging from the site variable in the URL (E.g. site=phpnuke.org), we’re guessing that this isn’t the only site they are targeting in this attack.