Malicious Iframe infects PHP-Nuke site....again!

Filed Under: Malware, SophosLabs

Last May, I blogged about PHP-Nuke's official site being hacked. Imagine my surprise when I saw the site come up again in my malware feed.

I looked for the contact details on the site and found that I would have to register in order to give them details of the hack and advice on how to clean up. Doing so would risk giving, at the very least, my email address to the hackers who had compromised the security. Not surprisingly, I declined that tempting offer.

The WHOIS for the website shows that the Registrant is "Domains by Proxy, Inc." and from my many years experience in analysing spam, I am now accustomed to expecting the worst from sites registered with this type of name. Back to square one...again.

Detection-scan for phpnuke

So why am I blogging about the site hack without first informing the owner?

  • They have previous history in leaving the door open to attacks
  • Publishing articles and giving them a spotlight is a surefire way of getting them to fixing the issue
  • They seem not to have learned the lessons of their previous security breach.

In my previous blog entry"What does PHP stand for? Probable Hacked Page?", the attack is similar. Here is the current version:

Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.2.9

You will see that the Apache and SSL versions have been upgraded (probably due to the OS), but the PHP version has not. The PHP site says that they currently have two versions released (5.3.5 and 5.2.17).

The security mantra here, once again, should be "patch, patch and patch."

PS Oh, and should PHP Nuke want to send me an email address where I can contact them directly in future, that would be nice. Email us at

, , ,

You might like

2 Responses to Malicious Iframe infects PHP-Nuke site....again!

  1. Bill Bird · 1687 days ago

    Sophos rocks!

  2. Bill Bird · 1687 days ago

    BTW, After googling phpnuke using Chrome, and clicking on returned PHPNuke site I was warned by Chrome of potential insecurities!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul O Baccas (aka pob) joined Sophos in 1997 after studying Engineering Science at Oxford University. After nearly 16 years, he has left Sophos to pastures new and will be writing as an independent malware researcher. Paul has: published several papers, presented at several Virus Bulletins and was a technical editor for "AVIEN Malware Defense Guide". He has contributed to Virus Bulletin and is a frequent contributor to the NakedSecurity blog.