PHP-NUKE Vulnerability

Most standard installations of PHP-Nuke are vulnerable to remote hack attacks. Hackers and script kiddies are able to gain control of the installation by means of a remotely exploitable SQL injection bug. In the default installation of most PHP-Nuke sites, multiple modules are vulnerable to SQL injection. This is because the underlying code does not sanitize the user-supplied variables after it is decoded for use as an SQL query. This allows attackers to craft query strings that allow them to run SQL commands, which otherwise should not be permitted by the script.

Using this method, the attacker can steal or overwrite the administrator’s password hash. Once the password hash has been compromised, the attacker heads over to the admin module and takes full control of the PHP-Nuke installation.

I’m hacked - now what?

The first thing to do when you realize that your site has been the target of a hack attack, would be to check if you’ve still got administrative control of the site. If the attacker has not yet changed your administrative password, you can still retain control of the site. More often than not, the attacker would immediately change the admin password and take full control of your site. In this case, you should immediately bring down your site, and block access to the administrative module before the attacker destroys your content.

How do I bring down the site?

Since the attackers have gained full administrative permissions on your site, the first thing to do is to disable the site and the admin functions. To do this, we'll need to block access to three main files: index.php, modules.php and admin.php. These files reside in the root folder of your PHP-Nuke installation. Head over to your site using ftp and download the files index.php, modules.php and admin.php to your system and store them in a backup folder. We may need these files later when we reopen the site to the public. Now create a blank file or a file with the message “This site is down for maintenance” and save the file as index.php. Copy the same contents to the new files modules.php and admin.php. Upload these three newly created files to the root directory of the server and overwrite the older files. This should effectively shut down the site and prevent the attackers from further exploiting your site.