Hello, Am 02.11.2015 um 19:08 schrieb Kris Deugau:
G.W. Haywood wrote:Hi there,On Mon, 2 Nov 2015, Hajo Locke wrote:... It seems to be so easy for a php-programmer to generate infinite number of malwarefiles ...That's correct. Any .php file sent here goes straight to /dev/null without inspection.
very luxurious life ;)
I can't say I've seen PHP randomly splattered around by email (unlike Javascript or Windows executables, very little will even recognize it never mind auto-execute it); I'm guessing the OP is scanning customer webhosting content. Customers will get very unhappy if you blindly delete all PHP files from their webhosting account...
yes, that's correct.There are a lot of unsecure CMS which are abused to upload php-malware to sent spam etc. its difficult to find correct ones and leave harmles files alone until costumer has updated his system.
i now have a set of signatures, but iam unhappy with them. i do some testscans on servers to check how many FP i will get. As yet no one. tried to work without wildcards in my signature, just limited variable spaces between significant text.
Is there a possibility to create whitespacefree normalised base-files?its too easy for php programmers to create new files. for example this "$aat03[11]." ist not the same like "$aat03[11] ." because of whitespace before ".". Hmm, with whitespacefree normalised files it would be easier to create signatures for this chained arrayelements in small spaces or for the significant "eval{-15}(${$" instead of "(${ $", "( ${$", "( $ { $"...... etc.
-kgd _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Thanks, Hajo _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
