PHP-Nuke, a popular web based portal and content management solution written in PHP has been criticized in the past for the slew of security vulnerabilities affecting its platform. Today, the main PHP-Nuke website has been, well, nuked. A malicious iframe has been injected into the main site (still active) and like the previous attack on the US Treasury Website, this campaign also uses the Eleonore exploit pack to distribute the malware.
Upon visiting the main PHP-Nuke website (still active), the iframe redirects through a series of exploit attempts, which include Adobe Collab overflow, getIcon, and doc.media.newPlayer vulnerabilities.
After the initial iframe redirection, the second iframe redirection starts and statistics servers (hosted in Russia) are accessed.
After the second stage is completed, the third stage starts and the exploitation attempts begin.
If the various exploit attempts are successful, the CI.A Trojan is executed on the victims computer.
Lately, we’ve noticed an uptick in usage of the Eleonore exploit kit and judging from the site variable in the URL (E.g. site=phpnuke.org), we’re guessing that this isn’t the only site they are targeting in this attack.
Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions. Initially focused on the development of antivirus software, the company has since expanded its line of business to advanced cyber-security services with technology for preventing cyber-crime.
8 comments
This is at least the second time it happened to them in a few months. I alerted them at the beginning of this year for exactly the same problem.
PHP nuke is the most vulnerable CMS in the world, and this isn’t unbelievable….