MPack and how to stop it
MPack is a software kit written and marketed by Russian code writers. It is unusual because it is a) written in php and b) sold and updated as if it was a regular legitimate software product. People run it on their websites as a means to install keystroke loggers on vulnerable computers. It will work with Firefox and IE and will test the visiting browser to see which vulnerabilities are available for it to exploit. This thing gets updated monthly and there are even plugin modules you can buy and add on to it for a more effective attack. Most of the time, most people know enough to not go to the sites that end in .ru:8080 or other strange domain names. Unfortunately, the attack has adjusted its tactics to make itself more effective. If you have weak ftp passwords on your site or if they can get a keystroke logger on your computer to get your ftp password, they will write scripts that will automatically inject an invisible iframe onto every one of your html pages (php pages are less vulnerable, since they are frequently broken out into several php_includes.
This is scary stuff, and Google and other search sites will punish you in search rankings and with popups when people clickthrough to your site if they find out you have been compromised.
The software is constantly being updated, so this goes back to the lesson every server or site admin has to learn. Get updates out as quickly as possible on public facing sites. There is no such thing as a low-maintenance site.
- Update your software packages (wordpress, drupal, joomla, etc.) and any libraries that they may use (imagemagick, etc.)
- Update PHP and MySQL, as well as Apache or IIS. If you use a virtual or shared host, pressure them to keep their software updated. If they don't, switch to a new host or better yet, get a dedicated server or colo somewhere. It only looks expensive until you have to wait three days to have your ftp password changed because the support people at your $3.33 a month host need to escalate such a complicated task to their senior engineers. And all that is after you tried to change the password through their web-based form and it didn't work. And they told you three times that it was changed. %^&*%^&*$ I am looking at you, IVChosting.com ಠ_ಠ Ahem.
- Use secure passwords and change them regularly, especially if you publish via FTP regularly.
- If you get compromised (it happens to everyone), change your FTP passwords immediately, preferably from a computer you do not typically use for publishing.
- Scan your computer for viruses with a different AV than you normally use. I like Malwarebytes anti-malware and Trend Micro's Housecall.
- From a different computer, re-upload the files for your site from your last good backup (you have a backup, right?)
- If you don't have a backup, download all the htm and html files to a Windows based computer and do a find and replace for any iframes that reference an external site. If you have legitimate iframes to external sites you should know what they are, and they will probably be larger than 0 by 0 pixels. Notepad ++ has a great feature for doing find and replace across multiple files in multiple directories.
- If, like most people, you are concerned because Google tagged you as a badware site, you will need to log in to their webmaster tools and set up your site on your account. Then you can request a review, where they will check your site for lingering traces. This is a slow process, so the sooner you get started the better. They will remove the flag when they determine that your site is clean.