This is the clamav-users list. We're all a bunch of nobodies here. There are
other lists that may be more appropriate for you and your problem. The
recommendation to not send samples to this list is a general case and a good
one. If people come to believe it will get faster results then the likelihood of
this list being shut down moves closer to reality. It makes everyone's day go
better and all the nobodies here are more likely to help if you are not
contentious. Al has been a valuable member of this list for years and he's given
you a truthful picture of this list and the signature process.
dp - another nobody
On 2/20/16 4:00 AM, Jesse Nicholson wrote:
Hi Al,
It's a php script. Do you have automatic php script evaluation and
execution built into your current shell? If so, you shouldn't be involved
in anything to do with security and or computers in general. "Not sure who
the intended audience is" well, neither was I because the website provides
simple links for very broad groups regarding a/v and such. I came in to
check on a submission I had made, because I found a pretty serious web
based exploit that clamAV was failing to detect. However, over the past few
days I've been decoding other exploits that clam AV fails to detect.
Apparently I just need to base64 encode anything and clam AV just has no
clue what it is. AAA awesome.
Lastly: "but perhaps the team can fill us in on that." - Oh, so you're not
part of the team. So, you're nobody, and you're jumping into this
conversation asserting that receiving PHP code over a plain TCP connection
and (optionally opening it in notepad) is sufficient enough to cause a full
blow PHP interpreter with elevated permissions to magically manifest in
your PC and execute some malware, and tell me that it's up to me to clean
up an infection after the entire point of my email that you're responding
to is my declaration of having successfully cleaned up the infection, and
my desire to share the definitions that worked. You failed entirely at
life, I'll forget you in 5 minutes, and will recover just fine the barrage
of stupidity that you've brought to my inbox this morning.
Regards,
Somebody who didn't hear "Computer Viruses" on CSI miami and join a virus
mailing list to appear cool.
On Sat, Feb 20, 2016 at 4:15 AM, Al Varnell <[email protected]> wrote:
On Sun, Feb 07, 2016 at 01:59 PM, Jesse Nicholson wrote:
Not sure if I'm allowed to upload stuff here
I’m certainly glad that it is not allowed as I’m sure nobody here would
appreciate receiving a malware sample. Hopefully anybody that would find
your information useful in their situation will contact you for the details
where you can send it to them off-list.
, but to follow up on this,
I've attached a zip containing the original decoded infection php code,
the
infection in its natural state (doubly base64 encoded), definitions that
match it, and other nfo like a simple script that can clean the infection
without damaging php files its been injected into (with sed + regex).
Not sure who your intended audience for this information is. Cleaning an
infected files is way beyond any capabilities that ClamAV currently posses,
so that’s going to be up to you to accomplish once an infected file has
been identified. I’ve not heard of any plans to implement such a
capability, but perhaps the team can fill us in on that.
-Al-
On Sat, Feb 6, 2016 at 7:19 PM, Jesse Nicholson wrote:
@ant indeed, this is what I'm doing. Original server is gone, new server
was built from the ground up but the xferred required user files (web
root)
is quarantined while I go through it and lean up. There's a really nasty
php injection that appears to intercept, proxy requests to various IPs
that
come from control server(s), attempts to download new viruses and such
to
your configured temp upload directory and then inject them into
responses
and such. I've made a definition that works very well, and have
uncovered
nearly 300 infected files using that sig. Other root shells were also
present, but existing definitions cleaned them up.
Was curious because I'd like to submit the definition in case it helps,
so
far I've only submitted one sample of the infection as found in the wild
and a second file (both zipped) of the decoded main function group.
@Al Yep I subscribed to the db list. MD5 is 92 3b 61 7b a7 9a da 3b 04
e7
ba d7 a4 d7 04 74
The infection has many things in common with the one posted here:
http://stackoverflow.com/q/22647441
On Sat, Feb 6, 2016 at 7:05 PM, Crap wrote:
I'm cleaning a server
that got badly infected,
I know this doesn't answer the OP, but destroy the server and treat all
data as compromised.
Rebuild for a fresh trusted base and attempt to clean the data away
from
the original server..
-- ant
On 6 Feb 2016, at 23:41, Jesse Nicholson wrote:
Where/how can I check on the status of a submission? I'm cleaning a
server
that got badly infected, and while doing so discovered what I believe
to be
a PHP exploit that maldet and clamav don't have definitions for.
Virustotal
also has 0 hits on it. However, I'm sure it's malicious because the
main
function block is double base 64 encoded, everything else that
interacts
with it is salted and random. Decoding the main function block, there
appears to functions to compress local files and xfer them to unknown
locations.
Anyway I've successfully created a definition for it, have nearly 300
hits
and am curious about following up after I've submitted one sample via
the
website. Never done anything like this before, so looking for
guidance/advice.
--
Jesse Nicholson
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
