In all likelihood, it means that a GET or POST payload contained the
signature. Whether or not the request containing the signature was
successful in injecting it into your site is a question that only you will
be able to answer.
You can use sigtool to find the signature and again to decode the signature
to see what it's detecting to help you identify the particular request(s)
to investigate further.
$ sigtool --find-sigs Php.Trojan.MSShellcode-81 | awk '{ print $2 }' |
sigtool --decode-sigs
VIRUS NAME: Php.Trojan.MSShellcode-81
TARGET TYPE: ANY FILE
OFFSET: *
...
On Mon, Jul 12, 2021 at 10:44 AM Michael Wang <mw...@unixlabplus.com> wrote:
> Clamscan detested a virus in Microsoft Internet Information Services 8.5
> log file:
>
> *C:\inetpub\logs\LogFiles\W3SVC1\u_exNNNNNN.log: Php.Trojan.MSShellcode-81
>> FOUND*
>>
>
> I looked at the file manually, it consists of comments and GET and POST
> messages. How do I determine if this is a real or false positive? The
> files are dynamic and new files will be generated, how are my options?
> Thanks.
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
