phpnuke.org compromised...
FYI...
phpnuke .org ...compromised
- http://community.websense.com/blogs...0/05/07/phpnuke-org-has-been-compromised.aspx
7 May 2010 07:25 AM - "... PHP-Nuke is a popular Web content management system (CMS), based on PHP and a database such as MySQL, PostgreSQL, Sybase, or Adabas. Earlier versions were open source and free software protected by GNU Public License, but since then it has become commercial software. As it is still very popular in the Internet community, it is not surprising that it has become a target of blackhat attacks... The injected iframe hijacks the browser to a malicious site, where through several steps of iframe redirections the user finally ends up on a highly obfuscated malicious page... After de-obfuscating the code, we can see three different exploits, two of them targeting Internet Explorer and the third one targeting Adobe Reader. The first exploit targets a vulnerability in MDAC (CVE-2006-0003), described in Microsoft Security Bulletin MS06-014. If it succeeds, a malicious application is downloaded and stored in "%temp%\updates.exe". After this the downloaded trojan is executed, at which point it installs itself on the computer and attempts to access several Web sites... The second exploit uses a Java vulnerability to spawn shellcode, which then initiates the download action... The third exploit is a PDF exploit -- this actually merges three exploits targeting Adobe Reader. First the JavaScript in the HTML page checks if Adobe Reader is exploitable by checking its version number. The version should be between 7 and 7.1.4, 8 and 8.1.7, or 9 and 9.4. When a vulnerable version is found, the exploit downloads the malicious PDF file and as it is loaded by Adobe Reader, the malicious ActionScript in the file is executed automatically. The PDF itself contains an obfuscated ActionScript that utilizes one of the three different PDF exploits it hides. These are CVE-2009-4324, CVE-2007-5659, and CVE-2009-0927. If it succeeds, the download and installation of updates.exe happens in a similar manner to that described earlier. The downloaded executable is detected by 12% of antivirus products, according to VirusTotal*.
WARNING: At the time of writing the front page of phpnuke .org still contains the malicious iframe, so we advise users to stay away from the site until it has been fixed..."
* http://www.virustotal.com/analisis/...df26c1565026dc71712b9a391953fb9d24-1273013683
File 1e99dab3abd728300f055a047626d1211 received on 2010.05.04 22:54:43 (UTC)
Result: 5/41 (12.20%)
- http://pandalabs.pandasecurity.com/php-nuke-hacked-with-injected-iframe/
5/7/10
- http://www.theregister.co.uk/2010/05/11/phpnuke_infection_purged/
11 May 2010 - "The official website for content management system PHP-Nuke was purged of a nasty infection on Tuesday that for four days attempted to install malware on visitors' machines. The website, which used an out-of-date version of PHP, was compromised as long ago as Friday, according to reports from Websense and Panda Labs. The infection redirected anyone visiting the PHP-Nuke front page to a series of attack sites and wasn't cleaned up until Tuesday, Sophos said*..."
* http://www.sophos.com/blogs/sophoslabs/?p=9585
May 11th, 2010 - "... While writing this post the site has been cleaned up."
FYI...
phpnuke .org ...compromised
- http://community.websense.com/blogs...0/05/07/phpnuke-org-has-been-compromised.aspx
7 May 2010 07:25 AM - "... PHP-Nuke is a popular Web content management system (CMS), based on PHP and a database such as MySQL, PostgreSQL, Sybase, or Adabas. Earlier versions were open source and free software protected by GNU Public License, but since then it has become commercial software. As it is still very popular in the Internet community, it is not surprising that it has become a target of blackhat attacks... The injected iframe hijacks the browser to a malicious site, where through several steps of iframe redirections the user finally ends up on a highly obfuscated malicious page... After de-obfuscating the code, we can see three different exploits, two of them targeting Internet Explorer and the third one targeting Adobe Reader. The first exploit targets a vulnerability in MDAC (CVE-2006-0003), described in Microsoft Security Bulletin MS06-014. If it succeeds, a malicious application is downloaded and stored in "%temp%\updates.exe". After this the downloaded trojan is executed, at which point it installs itself on the computer and attempts to access several Web sites... The second exploit uses a Java vulnerability to spawn shellcode, which then initiates the download action... The third exploit is a PDF exploit -- this actually merges three exploits targeting Adobe Reader. First the JavaScript in the HTML page checks if Adobe Reader is exploitable by checking its version number. The version should be between 7 and 7.1.4, 8 and 8.1.7, or 9 and 9.4. When a vulnerable version is found, the exploit downloads the malicious PDF file and as it is loaded by Adobe Reader, the malicious ActionScript in the file is executed automatically. The PDF itself contains an obfuscated ActionScript that utilizes one of the three different PDF exploits it hides. These are CVE-2009-4324, CVE-2007-5659, and CVE-2009-0927. If it succeeds, the download and installation of updates.exe happens in a similar manner to that described earlier. The downloaded executable is detected by 12% of antivirus products, according to VirusTotal*.
WARNING: At the time of writing the front page of phpnuke .org still contains the malicious iframe, so we advise users to stay away from the site until it has been fixed..."
* http://www.virustotal.com/analisis/...df26c1565026dc71712b9a391953fb9d24-1273013683
File 1e99dab3abd728300f055a047626d1211 received on 2010.05.04 22:54:43 (UTC)
Result: 5/41 (12.20%)
- http://pandalabs.pandasecurity.com/php-nuke-hacked-with-injected-iframe/
5/7/10
- http://www.theregister.co.uk/2010/05/11/phpnuke_infection_purged/
11 May 2010 - "The official website for content management system PHP-Nuke was purged of a nasty infection on Tuesday that for four days attempted to install malware on visitors' machines. The website, which used an out-of-date version of PHP, was compromised as long ago as Friday, according to reports from Websense and Panda Labs. The infection redirected anyone visiting the PHP-Nuke front page to a series of attack sites and wasn't cleaned up until Tuesday, Sophos said*..."
* http://www.sophos.com/blogs/sophoslabs/?p=9585
May 11th, 2010 - "... While writing this post the site has been cleaned up."
Last edited: