May 7, 2010

phpnuke.org has been compromised

Tamas Rudnai

Websense® Security Labs™ ThreatSeeker™ Network has discovered that the popular Web site, phpnuke.org, has been compromised.

PHP-Nuke is a popular Web content management system (CMS), based on PHP and a database such as MySQL, PostgreSQL, Sybase, or Adabas. Earlier versions were open source and free software protected by GNU Public License, but since then it has become commercial software. As it is still very popular in the Internet community, it is not surprising that it has become a target of blackhat attacks.


The injected iframe hijacks the browser to a malicious site, where through several steps of iframe redirections the user finally ends up on a highly obfuscated malicious page.


After de-obfuscating the code, we can see three different exploits, two of them targeting Internet Explorer and the third one targeting Adobe Reader.

The first exploit targets a vulnerability in MDAC (CVE-2006-0003), described in Microsoft Security Bulletin MS06-014. If it succeeds, a malicious application is downloaded and stored in "%temp%\updates.exe". After this the downloaded trojan is executed, at which point it installs itself on the computer and attempts to access several Web sites.

The second exploit uses a Java vulnerability to spawn shellcode, which then initiates the download action. After downloading the malicious executable, everything works as described above.

The third exploit is a PDF exploit -- this actually merges three exploits targeting Adobe Reader. First the JavaScript in the HTML page checks if Adobe Reader is exploitable by checking its version number. The version should be between 7 and 7.1.4, 8 and 8.1.7, or 9 and 9.4. When a vulnerable version is found, the exploit downloads the malicious PDF file and as it is loaded by Adobe Reader, the malicious ActionScript in the file is executed automatically. The PDF itself contains an obfuscated ActionScript that utilizes one of the three different PDF exploits it hides. These are CVE-2009-4324CVE-2007-5659, and  CVE-2009-0927. If it succeeds, the download and installation of updates.exe happens in a similar manner to that described earlier.

The downloaded executable is detected by 12% of antivirus products, according to VirusTotal.

WARNING: At the time of writing the front page of phpnuke.org still contains the malicious iframe, so we advise users to stay away from the site until it has been fixed.

Websense Messaging and Websense Web Security customers are protected against this attack.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.