What does PHP stand for? Probable Hacked Page?

Late last week, the wires were buzzing over news that the official site of PHP-Nuke Professional Content Management System was serving malware (see 1, 2). I am frankly amazed to see the site still infected 4 days later.

Here at SophosLabs we see hacked sites everyday and the majority are running PHP-driven applications such as Content Management Systems (CMS). The PHP-Nuke site is currently running PHP v. 5.2.9.

Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/ PHP/5.2.9

The current version is 5.3.2. I wonder though has the web admin updated their own version of PHP-Nuke?

We often tell web admins after an infection to:

  • Delete or restore from backup infected files.
  • Patch/Update all software on the box.
  • Change all password especially FTP ones (and restrict FTP access to a minimum).
  • Review logs and policies to prevent another breach.

The failure to adhere to the second of these rules Patch/Update is the most likely route for infection in this case.

Note: While writing this post the site has been cleaned up.