Apocalyptic infection purged from PHP-Nuke.org
Better late than never
Regcast training : Hyper-V 3.0, VM high availability and disaster recovery
The official website for content management system PHP-Nuke was purged of a nasty infection on Tuesday that for four days attempted to install malware on visitors' machines.
The website, which used an out-of-date version of PHP, was compromised as long ago as Friday, according to reports from Websense and Panda Labs. The infection redirected anyone visiting the PHP-Nuke front page to a series of attack sites and wasn't cleaned up until Tuesday, Sophos said.
"Here at SophosLabs we see hacked sites everyday and the majority are running PHP-driven applications such as Content Management Systems (CMS)," the blog post stated.
People who visited the site with an unpatched version of Adobe Reader, Internet Explorer and possibly other applications were exposed to exploits that silently installed malware on their computers. Despite the severity of the compromise, it was allowed to persist for more than 72 hours after it became public knowledge. Less than 12 per cent of antivirus products were detecting the malware during the early stages of the attack, according to VirusTotal, although that rate probably improved over time.
The Register was unable to reach PHP-Nuke officials for comment.
The compromise appears to be the work of the Eleonore exploit kit, which has been working overtime lately hitting sites operated by the US Treasury, among others.
It's not the first time PHP-Nuke has been reported to have security vulnerabilities, as Secunia advisories here and here show. ®
COMMENTS
yeah mang
We should all just email our comments to the Reg and then somebody can copy and paste them into HTML files for us.
Manage what content?
Whether a CMS requires significant clientside scripting really depends on what type of content it's trying to manage. CD001 is largely right, but you only need a WYSYWYG interface like TinyMCE if you want to manage rich content. If you can manage with just plain text, a plain textarea will do fine - and the same principle applies to most other stuff which users upload.
But I suspect the majority of clientside script runtime these days is soaked up with all the ****ing googlemonster tracking and 'anal-ytics' bollocks, which doesn't improve the user's experience one jot, but which webmasters seem to think is essential to sell advertising, sorry I meant to propagate their web2.0orrhea around the multiverse in the vain assumption that anyone gives a sh*t.
Real social networks are, as any fule kno, called "the pub". See you there.
PHP
PHP is just a means of serving the content - a layer on top of the server. The problem is not keeping up to date with fixes/patches - if you don't do that any software on the server is just as vulnerable. Of course, it does have a very low barrier to entry so you get some very amateur developers writing easily compromised software. But, on the whole, it's a good thing.
On the other hand, I agree with the rest of what you said - the improvements in speed do just seem to be a way to push more crap down the line. Hence I use No-Script and FlashBlock - if the site doesn't work without JS or Flash (and doesn't need them - ie. a game) then I'll just find another. Wish more people would - perhaps it'd reduce the "need" for the crap.
IT infrastructure monitoring strategies
Agentless Backup is Not a Myth
Top 10 SIEM implementer’s checklist
Steps to Take Before Choosing a Business Continuity Partner
Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider
