Hello list, currently i found sometimes hexed php-code like this in hacked cms. https://www.unphp.net/decode/9343fc7753f51080ad5d7817720956f0/ http://ddecode.com/hexdecoder/?results=9c4971e2e8f3cc6e00865e3a1dfd20bc https://www.unphp.net/decode/18679f0e27962531abffc36b8c869ce0/ Not my domains, just samples.
Pattern is always the same, including the 5-char comments. In my case the include string decodes to a path and includes an .ico file. I dont understand this code to obfuscate the path. I saw some samples and all of the lines look a different way in encoded case. When decoded the strings show some similarities. But unfortunately i can just create a signature to raw text, not the decoded, human readable text. What would be best way to create a signature in this way? Currently this is a puzzler for me and i dont find a way to create a clever for most cases fitting signature.
May be this would be a case for the pros? Thanks, Hajo _______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
