I'm having some issues creating a hex signature to match some PHP code
I've run across. I've pulled the snippet of the PHP code that I want to
match on and created the signature using sigtool --hex-dump, but when I
try testing against it, there are no matches. However, if I convert the
entire PHP file to hex using sigtool, I do find the snippet signature in
there.
grep "`awk -F: '{ print $4 }' new1.ndb`" footer.ndb
Similarly, I can take the signature, convert it back to ASCII and match
successfully against the original file:
grep "`awk -F: '{ print $4 }' new1.ndb | xxd -r -p`" footer.php
The hex signature is only 64 characters long so I know that I'm not
blowing through any buffers internally (which I've done before by
accident).
The signature I've generated is:
6966202821697373657428246576613166596c62616b4263565369722929207b
>From the text:
if (!isset($eva1fYlbakBcVSir)) {
$ clamscan -d ./new1.ndb footer.php
footer.php: OK
----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 0.97.3
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.01 MB
Data read: 0.01 MB (ratio 1.00:1)
Time: 0.010 sec (0 m 0 s)
Anyone have any ideas about this?
Thanks in advance
--Maarten
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
