[clamav-users] Php.Trojan.MSShellcode-81 FOUND on MS IIS log file?
Maarten Broekman
maarten.broekman at gmail.com
Mon Jul 12 15:24:46 UTC 2021
In all likelihood, it means that a GET or POST payload contained the
signature. Whether or not the request containing the signature was
successful in injecting it into your site is a question that only you will
be able to answer.
You can use sigtool to find the signature and again to decode the signature
to see what it's detecting to help you identify the particular request(s)
to investigate further.
$ sigtool --find-sigs Php.Trojan.MSShellcode-81 | awk '{ print $2 }' |
sigtool --decode-sigs
VIRUS NAME: Php.Trojan.MSShellcode-81
TARGET TYPE: ANY FILE
OFFSET: *
...
On Mon, Jul 12, 2021 at 10:44 AM Michael Wang <mwang at unixlabplus.com> wrote:
> Clamscan detested a virus in Microsoft Internet Information Services 8.5
> log file:
>
> *C:\inetpub\logs\LogFiles\W3SVC1\u_exNNNNNN.log: Php.Trojan.MSShellcode-81
>> FOUND*
>>
>
> I looked at the file manually, it consists of comments and GET and POST
> messages. How do I determine if this is a real or false positive? The
> files are dynamic and new files will be generated, how are my options?
> Thanks.
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20210712/cd6151f3/attachment.htm>
More information about the clamav-users
mailing list