Common Tasks

Recent Posts

Community

Email Notifications

Personal Links

Archives

Security Protection - Harry Waldron (CS)

Security Best Practices, Breaking News, & Updates

MPACK Hacking Tool used in large scale Web Attack

Numerous web site attacks have occurred, particularly in Europe    Web site administrators should ensure their security and infrastructure software is up-to-date and lock down PHP security appropriately.  

Massive MPACK Compromise
http://isc.sans.org/diary.html?storyid=2991

QUOTE: MPACK is a tool that was first discovered in December of 2006 by Panda Labs.  Its an PHP based application designed to run on a server.  With it comes several different exploits (you can buy new ones to add on) which can be used to compromise a user's system based on what they are running.  There are different methods to get a user to access the compromised server.  One of the more popular methods being used right now is an IFRAME.  Websites are compromised and IFRAMES are placed on the sites pointing to the MPACK server. Another interesting characteristic of this tool is the fact it has a database backend. Right now its being reported by Websense that there are over 10,000 compromised systems all with IFRAMES pointing to the MPACK server.

  For more information:

WebSense - Shows chart of countries impacted
http://www.websense.com/securitylabs/alerts/alert.php?AlertID=782

Panda Labs - Analysis of Current Attacks
http://blogs.pandasoftware.com/blogs/pandalabs/archive/2007/05/11/MPack-uncovered_2100_.aspx

Panda Labs - DETAILED REPORT (28 Pages - PDF)
http://blogs.pandasoftware.com/blogs/images/PandaLabs/2007/05/11/MPack.pdf

McAfee Detection of MPACK hacking tool
http://secunia.com/virus_information/39351/htool-mpack/
http://vil.nai.com/vil/content/v_142501.htm

QUOTE: MPack is a Web Attack Tool which we are seeing deployed in wild on a few web servers. This tool is an application designed to serve malicious content to users accessing compromised websites. We have seen several thousands of website URLs that are compromised and have a hidden IFRAME inserted to redirect unsuspecting users to malicious site hosting the MPack toolkit. The toolkit stores statistical information like Geo Location, Browser Type and Operating System info relating to users accessing bait websites.

Comments

SecurityCzar said:

So, what can you do about it?  For end users, keep your endpoints patched antivirus up-to-date. For Symantec users, there is a good article at sharpebusinesssolutions.com/savce_upgrade.htm describing how to keep SAV agents healthy and under support. For admins of affected web sites, a simple clean-up of the page is not sufficient - your site administrator’s credentials need to be changed. There are easy to use tools available for MPack to use to reinfect your sites even after you have manually cleaned them up. These automated tools are being fed lists of compromised site admin usernames and passwords, so make sure that you put a strong password on your site admin account.

# June 21, 2007 8:44 AM