Late last week, the wires were buzzing over news that the official site of PHP-Nuke "Professional Content Management System" was serving malware (see 1, 2). I am frankly amazed to see the site still infected 4 days later.
Here at SophosLabs we see hacked sites everyday and the majority are running PHP-driven applications such as Content Management Systems (CMS). The PHP-Nuke site is currently running PHP v. 5.2.9.
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.9
The current version is 5.3.2. I wonder though has the web admin updated their own version of PHP-Nuke?
We often tell web admins after an infection to:
- Delete or restore from backup infected files.
- Patch/Update all software on the box.
- Change all password especially FTP ones (and restrict FTP access to a minimum).
- Review logs and policies to prevent another breach.
The failure to adhere to the second of these rules Patch/Update is the most likely route for infection in this case.
Note: While writing this post the site has been cleaned up.
