[Community-sigs] Injected php uploader
Angel Villegas
anvilleg at sourcefire.com
Mon May 11 09:36:52 EDT 2015
No problem, you may have problems with the ASCII type since it normalizes
the text. If you have issues in the future, it could help to run ClamAV
with the "--leave-temps" and "--tempdir <path to dir>" to see what ClamAV
is looking at when processing the file.
Feel free to send any other hashes this signature should hit on. The only
hash I know of is the one you provided in your earlier message (SHA256:
6dabc433bac2d2fb52a5383bae1412584f40cd49c9321c60da8aaf3f98c57e6f)
Thanks,
Angel M. Villegas
On Mon, May 11, 2015 at 9:23 AM, Alex Creek <me at alexcreek.com> wrote:
> Thanks, I've never been able to get php signatures to fire using the ASCII
> type so that's where the any type came from. From what I've seen in the
> wild, there aren't closing tags included with the code and the apps I've
> seen it injected into (wordpress) don't typically using closing tags either.
>
> The hashes match a sample I uploaded to
> http://cgi.clamav.net/sendvirus.cgi
>
> Alex
>
>
> -----Original Message-----
> From: Community-sigs [mailto:community-sigs-bounces at lists.clamav.net] On
> Behalf Of Angel Villegas
> Sent: Monday, May 11, 2015 8:41 AM
> To: ClamAV Community Signatures Submission List
> Subject: Re: [Community-sigs] Injected php uploader
>
> Thank you for your contribution! I'm going to make a few changes to the
> signature and queue it for false positive testing.
>
> Some changes I'm going to make:
> - Change target type from 0 (Any) to 7 (ASCII text file)
> - With the new target type, strings are normalized to lower case, so I
> will change the signature to be all lower case
> - Since this targets PHP scripts I will add the opening and closing php
> tags ("<?" and "?>")
>
>
> Thanks,
> Angel M. Villegas
>
> On Fri, May 8, 2015 at 6:02 PM, Alex Creek <me at alexcreek.com> wrote:
>
> > Signature:
> >
> >
> > PHP.Trojan.Uploader:0:*:247332313d737472746f6c6f776572282473465b345d2e
> > 2473465b355d2e2473465b395d2e2473465b31305d2e2473465b365d2e2473465b335d
> > 2e2473465b31315d2e2473465b385d2e2473465b31305d2e2473465b315d2e2473465b
> > 375d2e2473465b385d2e2473465b31305d29*247332303d737472746f7570706572282
> > 473465b31315d2e2473465b305d2e2473465b375d2e2473465b395d2e2473465b325d2
> > 9
> >
> >
> > Hashes:
> >
> > md5: 8bc1accace3e5d1afd90bc2189bf1bd8
> > sha1: 30034f2979398bd1792da5c42276b1c14afb308b
> > sha256:
> > 6dabc433bac2d2fb52a5383bae1412584f40cd49c9321c60da8aaf3f98c57e6f
> >
> >
> > Alex
> >
> >
> >
> > _______________________________________________
> > Community-sigs mailing list
> > Community-sigs at lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> >
> > http://www.clamav.net/contact.html#ml
> >
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>
More information about the Community-sigs
mailing list