[Community-sigs] Injected php uploader
Angel Villegas
anvilleg at sourcefire.com
Mon May 11 08:40:49 EDT 2015
Thank you for your contribution! I'm going to make a few changes to the
signature and queue it for false positive testing.
Some changes I'm going to make:
- Change target type from 0 (Any) to 7 (ASCII text file)
- With the new target type, strings are normalized to lower case, so I
will change the signature to be all lower case
- Since this targets PHP scripts I will add the opening and closing php
tags ("<?" and "?>")
Thanks,
Angel M. Villegas
On Fri, May 8, 2015 at 6:02 PM, Alex Creek <me at alexcreek.com> wrote:
> Signature:
>
>
> PHP.Trojan.Uploader:0:*:247332313d737472746f6c6f776572282473465b345d2e2473465b355d2e2473465b395d2e2473465b31305d2e2473465b365d2e2473465b335d2e2473465b31315d2e2473465b385d2e2473465b31305d2e2473465b315d2e2473465b375d2e2473465b385d2e2473465b31305d29*247332303d737472746f7570706572282473465b31315d2e2473465b305d2e2473465b375d2e2473465b395d2e2473465b325d29
>
>
> Hashes:
>
> md5: 8bc1accace3e5d1afd90bc2189bf1bd8
> sha1: 30034f2979398bd1792da5c42276b1c14afb308b
> sha256: 6dabc433bac2d2fb52a5383bae1412584f40cd49c9321c60da8aaf3f98c57e6f
>
>
> Alex
>
>
>
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>
More information about the Community-sigs
mailing list