[Community-sigs] Injected php uploader

Alex Creek me at alexcreek.com
Mon May 11 09:23:44 EDT 2015 

Thanks, I've never been able to get php signatures to fire using the ASCII type so that's where the any type came from.  From what I've seen in the wild, there aren't closing tags included with the code and the apps I've seen it injected into (wordpress) don't typically using closing tags either. 

The hashes match a sample I uploaded to http://cgi.clamav.net/sendvirus.cgi  

Alex


-----Original Message-----
From: Community-sigs [mailto:community-sigs-bounces at lists.clamav.net] On Behalf Of Angel Villegas
Sent: Monday, May 11, 2015 8:41 AM
To: ClamAV Community Signatures Submission List
Subject: Re: [Community-sigs] Injected php uploader

Thank you for your contribution! I'm going to make a few changes to the signature and queue it for false positive testing.

Some changes I'm going to make:
 - Change target type from 0 (Any) to 7 (ASCII text file)
 - With the new target type, strings are normalized to lower case, so I will change the signature to be all lower case
 - Since this targets PHP scripts I will add the opening and closing php tags ("<?" and "?>")


Thanks,
Angel M. Villegas

On Fri, May 8, 2015 at 6:02 PM, Alex Creek <me at alexcreek.com> wrote:

> Signature:
>
>
> PHP.Trojan.Uploader:0:*:247332313d737472746f6c6f776572282473465b345d2e
> 2473465b355d2e2473465b395d2e2473465b31305d2e2473465b365d2e2473465b335d
> 2e2473465b31315d2e2473465b385d2e2473465b31305d2e2473465b315d2e2473465b
> 375d2e2473465b385d2e2473465b31305d29*247332303d737472746f7570706572282
> 473465b31315d2e2473465b305d2e2473465b375d2e2473465b395d2e2473465b325d2
> 9
>
>
> Hashes:
>
> md5: 8bc1accace3e5d1afd90bc2189bf1bd8
> sha1: 30034f2979398bd1792da5c42276b1c14afb308b
> sha256: 
> 6dabc433bac2d2fb52a5383bae1412584f40cd49c9321c60da8aaf3f98c57e6f
>
>
> Alex
>
>
>
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>
_______________________________________________
Community-sigs mailing list
Community-sigs at lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs

http://www.clamav.net/contact.html#ml

More information about the Community-sigs mailing list