[clamav-users] Signatur help - php injection
Eric Tykwinski
eric-list at truenet.com
Tue Oct 24 11:55:56 UTC 2017
Hajo,
> Hello list,
>
> Pattern is always the same, including the 5-char comments. In my case the include string decodes to a path and includes an .ico file.
> I dont understand this code to obfuscate the path. I saw some samples and all of the lines look a different way in encoded case. When decoded the strings show some similarities. But unfortunately i can just create a signature to raw text, not the decoded, human readable text.
> What would be best way to create a signature in this way? Currently this is a puzzler for me and i dont find a way to create a clever for most cases fitting signature.
> May be this would be a case for the pros?
If you’ve got the full files, than you can create some yara rules.
Samples for webshells are located here: https://github.com/Yara-Rules/rules/tree/master/Webshells <https://github.com/Yara-Rules/rules/tree/master/Webshells>
I’d be cautious at first and not use move or delete, at least until you’ve got the script down pat. I’ve learned the hard way from my own false positives ;)
Eric
More information about the clamav-users
mailing list