What does PHP stand for? Probable Hacked Page?

Filed Under: SophosLabs

Late last week, the wires were buzzing over news that the official site of PHP-Nuke "Professional Content Management System" was serving malware (see 1, 2). I am frankly amazed to see the site still infected 4 days later.

Here at SophosLabs we see hacked sites everyday and the majority are running PHP-driven applications such as Content Management Systems (CMS). The PHP-Nuke site is currently running PHP v. 5.2.9.

Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.9

The current version is 5.3.2. I wonder though has the web admin updated their own version of PHP-Nuke?

We often tell web admins after an infection to:

  • Delete or restore from backup infected files.
  • Patch/Update all software on the box.
  • Change all password especially FTP ones (and restrict FTP access to a minimum).
  • Review logs and policies to prevent another breach.

The failure to adhere to the second of these rules Patch/Update is the most likely route for infection in this case.

Note: While writing this post the site has been cleaned up.

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s