phpnuke.org compromised, serving exploits

PHP-Nuke is a popular Web content management system based on PHP and various databases. Once upon a time it was an open-source platform, but is now commercial software. Nonetheless, it is still very popular and its main website provides handy resources for those who use it.

According to Websense researchers, the phpnuke.org website has been compromised and has been serving several exploits:

By using iFrame-redirection in order to hijack the user’ browsers, running them through a series of sites and finally land them on a malicious page, the authors of this compromise have been trying to exploit two documented vulnerabilities in Internet Explorer and one in Adobe Reader.

The first two exploits attempt to download a Trojan which, when executed, makes the computer attempt to visit a string of malicious websites and probably download more malware.

The last one is a PDF exploit that actually combines three exploits.

“First the JavaScript in the HTML page checks if Adobe Reader is exploitable by checking its version number. The version should be between 7 and 7.1.4, 8 and 8.1.7, or 9 and 9.4. When a vulnerable version is found, the exploit downloads the malicious PDF file and as it is loaded by Adobe Reader, the malicious ActionScript in the file is executed automatically. The PDF itself contains an obfuscated ActionScript that utilizes one of the three different PDF exploits it hides,” say the researchers. It the exploits are successful, the previously mentioned Trojan is downloaded and installed.