[Community-sigs] Injected php uploader
Alex Creek
me at alexcreek.com
Mon May 11 09:38:49 EDT 2015
Ah, gotcha. Will do, thanks
Alex
-----Original Message-----
From: Community-sigs [mailto:community-sigs-bounces at lists.clamav.net] On Behalf Of Angel Villegas
Sent: Monday, May 11, 2015 9:37 AM
To: ClamAV Community Signatures Submission List
Subject: Re: [Community-sigs] Injected php uploader
No problem, you may have problems with the ASCII type since it normalizes the text. If you have issues in the future, it could help to run ClamAV with the "--leave-temps" and "--tempdir <path to dir>" to see what ClamAV is looking at when processing the file.
Feel free to send any other hashes this signature should hit on. The only hash I know of is the one you provided in your earlier message (SHA256:
6dabc433bac2d2fb52a5383bae1412584f40cd49c9321c60da8aaf3f98c57e6f)
Thanks,
Angel M. Villegas
On Mon, May 11, 2015 at 9:23 AM, Alex Creek <me at alexcreek.com> wrote:
> Thanks, I've never been able to get php signatures to fire using the
> ASCII type so that's where the any type came from. From what I've
> seen in the wild, there aren't closing tags included with the code and
> the apps I've seen it injected into (wordpress) don't typically using closing tags either.
>
> The hashes match a sample I uploaded to
> http://cgi.clamav.net/sendvirus.cgi
>
> Alex
>
>
> -----Original Message-----
> From: Community-sigs [mailto:community-sigs-bounces at lists.clamav.net]
> On Behalf Of Angel Villegas
> Sent: Monday, May 11, 2015 8:41 AM
> To: ClamAV Community Signatures Submission List
> Subject: Re: [Community-sigs] Injected php uploader
>
> Thank you for your contribution! I'm going to make a few changes to
> the signature and queue it for false positive testing.
>
> Some changes I'm going to make:
> - Change target type from 0 (Any) to 7 (ASCII text file)
> - With the new target type, strings are normalized to lower case, so
> I will change the signature to be all lower case
> - Since this targets PHP scripts I will add the opening and closing
> php tags ("<?" and "?>")
>
>
> Thanks,
> Angel M. Villegas
>
> On Fri, May 8, 2015 at 6:02 PM, Alex Creek <me at alexcreek.com> wrote:
>
> > Signature:
> >
> >
> > PHP.Trojan.Uploader:0:*:247332313d737472746f6c6f776572282473465b345d
> > 2e
> > 2473465b355d2e2473465b395d2e2473465b31305d2e2473465b365d2e2473465b33
> > 5d
> > 2e2473465b31315d2e2473465b385d2e2473465b31305d2e2473465b315d2e247346
> > 5b
> > 375d2e2473465b385d2e2473465b31305d29*247332303d737472746f75707065722
> > 82
> > 473465b31315d2e2473465b305d2e2473465b375d2e2473465b395d2e2473465b325
> > d2
> > 9
> >
> >
> > Hashes:
> >
> > md5: 8bc1accace3e5d1afd90bc2189bf1bd8
> > sha1: 30034f2979398bd1792da5c42276b1c14afb308b
> > sha256:
> > 6dabc433bac2d2fb52a5383bae1412584f40cd49c9321c60da8aaf3f98c57e6f
> >
> >
> > Alex
> >
> >
> >
> > _______________________________________________
> > Community-sigs mailing list
> > Community-sigs at lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> >
> > http://www.clamav.net/contact.html#ml
> >
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>
_______________________________________________
Community-sigs mailing list
Community-sigs at lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
http://www.clamav.net/contact.html#ml
More information about the Community-sigs
mailing list