Malicious Iframe infects PHP-Nuke site….again!

Last May, I blogged about PHP-Nuke’s official site being hacked. Imagine my surprise when I saw the site come up again in my malware feed.

I looked for the contact details on the site and found that I would have to register in order to give them details of the hack and advice on how to clean up. Doing so would risk giving, at the very least, my email address to the hackers who had compromised the security. Not surprisingly, I declined that tempting offer.

The WHOIS for the website shows that the Registrant is “Domains by Proxy, Inc.” and from my many years experience in analysing spam, I am now accustomed to expecting the worst from sites registered with this type of name. Back to square one…again.

So why am I blogging about the site hack without first informing the owner?

• They have previous history in leaving the door open to attacks
• Publishing articles and giving them a spotlight is a surefire way of getting them to fixing the issue
• They seem not to have learned the lessons of their previous security breach.

In my previous blog entry“What does PHP stand for? Probable Hacked Page?”, the attack is similar. Here is the current version:

Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.2.9

You will see that the Apache and SSL versions have been upgraded (probably due to the OS), but the PHP version has not. The PHP site says that they currently have two versions released (5.3.5 and 5.2.17).

The security mantra here, once again, should be “patch, patch and patch.”

PS Oh, and should PHP Nuke want to send me an email address where I can contact them directly in future, that would be nice. Email us at tips@sophos.com.