In all likelihood, it means that a GET or POST payload contained the signature. Whether or not the request containing the signature was successful in injecting it into your site is a question that only you will be able to answer.

You can use sigtool to find the signature and again to decode the signature to see what it's detecting to help you identify the particular request(s) to investigate further.

$ sigtool --find-sigs Php.Trojan.MSShellcode-81 | awk '{ print $2 }' | sigtool --decode-sigs
VIRUS NAME: Php.Trojan.MSShellcode-81
TARGET TYPE: ANY FILE
OFFSET: *

...

On Mon, Jul 12, 2021 at 10:44 AM Michael Wang <mwang@unixlabplus.com> wrote:

Clamscan detested a virus in Microsoft Internet Information Services 8.5 log file:

C:\inetpub\logs\LogFiles\W3SVC1\u_exNNNNNN.log: Php.Trojan.MSShellcode-81 FOUND

I looked at the file manually, it consists of comments and GET and POST messages. How do I determine if this is a real or false positive? The files are dynamic and new files will be generated, how are my options? Thanks.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml