[clamav-users] Signatur help - php injection
Hajo Locke
Hajo.Locke at gmx.de
Tue Oct 24 06:52:04 UTC 2017
Hello list,
currently i found sometimes hexed php-code like this in hacked cms.
https://www.unphp.net/decode/9343fc7753f51080ad5d7817720956f0/
http://ddecode.com/hexdecoder/?results=9c4971e2e8f3cc6e00865e3a1dfd20bc
https://www.unphp.net/decode/18679f0e27962531abffc36b8c869ce0/
Not my domains, just samples.
Pattern is always the same, including the 5-char comments. In my case
the include string decodes to a path and includes an .ico file.
I dont understand this code to obfuscate the path. I saw some samples
and all of the lines look a different way in encoded case. When decoded
the strings show some similarities. But unfortunately i can just create
a signature to raw text, not the decoded, human readable text.
What would be best way to create a signature in this way? Currently this
is a puzzler for me and i dont find a way to create a clever for most
cases fitting signature.
May be this would be a case for the pros?
Thanks,
Hajo
More information about the clamav-users
mailing list