tumblr hit counter

PHP-Nuke Hacked with Injected iframe

May 7

PHP-Nuke, a popular web based portal and content management solution written in PHP has been criticized in the past for the slew of security vulnerabilities affecting its platform.  Today, the main PHP-Nuke website has been, well, nuked.  A malicious iframe has been injected into the main site (still active) and like the previous attack on the US Treasury Website, this campaign also uses the Eleonore exploit pack to distribute the malware.

Upon visiting the main PHP-Nuke website (still active), the iframe redirects through a series of exploit attempts, which include Adobe Collab overflow, getIcon, and doc.media.newPlayer vulnerabilities.

malicious iframe redirector - php-nuke

malicious iframe redirector - php-nuke

After the initial iframe redirection, the second iframe redirection starts and statistics servers (hosted in Russia) are accessed.

second stage iframe redirection/statistic collection

second stage iframe redirection/statistic collection

After the second stage is completed, the third stage starts and the exploitation attempts begin.

3rd stage - obfuscated code - exploitation attempts

3rd stage - obfuscated code - exploitation attempts

If the various exploit attempts are successful, the CI.A Trojan is executed on the victims computer.

Lately, we’ve noticed an uptick in usage of the Eleonore exploit kit and judging from the site variable in the URL (E.g. site=phpnuke.org), we’re guessing that this isn’t the only site they are targeting in this attack.

Post to Twitter

  • (8) Comments

Comments

  1. This is at least the second time it happened to them in a few months. I alerted them at the beginning of this year for exactly the same problem.

  2. a Man says:

    PHP nuke is the most vulnerable CMS in the world, and this isn’t unbelievable….

Trackbacks

  1. [...] this article: PHP-Nuke Hacked with Injected iframe Posted in Security News Tags: eleonore, exploitation, from-the-site, obfuscated-code, php, [...]

  2. [...] site of PHP-Nuke “Professional Content Management System“ was serving malware (see 1, 2). I am frankly amazed to see the site still infected 4 days [...]

  3. [...] Ma&#110a&#103eme&#110&#116 Sys&#116em“ was servi&#110&#103 malware (see 1, 2). I am fra&#110kly amazed &#116o see &#116he si&#116e s&#116ill i&#110fec&#116ed 4 days [...]

  4. [...] site of PHP-Nuke “Professional Content Management System“ was serving malware (see 1, 2). I am frankly amazed to see the site still infected 4 days [...]

  5. [...] rest is here: PHP-Nuke Hacked with Injected iframe Posted in Security News Tags: campaign, eleonore, exploitation, from-the-site, obfuscated-code, [...]

  6. [...] the official site of PHP-Nuke "Professional Content Management System" was serving malware (see 1, 2). I am frankly amazed to see the site still infected 4 days [...]

Leave a Reply

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

  • Become a fan!


    Panda Security on Facebook
  • Blogroll

  • Categories