> -----Original Message----- > From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users- > boun...@lists.clamav.net] On Behalf Of David Raynor > > On Mon, Aug 13, 2012 at 4:28 PM, Maarten Broekman > <mbroek...@maileig.com>wrote: > > > All, > > I have a PHP.Remoteadmin-3 php script. I have > another > > file with the EXACT same PHP code in it but it starts with a GIF89a; > > header. Running clamscan against the bare PHP.Remoteadmin-3 file > > yields the following debug output: > > > > LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16) > > LibClamAV debug: cache_check: 6dc368b3d0b9f8e714dd910b7bcdb602 is > > negative > > LibClamAV debug: Recognized ASCII text > > LibClamAV debug: Matched signature for file type HTML data at 0 > > LibClamAV debug: in cli_scanhtml() > > LibClamAV debug: cli_scanhtml: using tempdir > > /tmp/clamav-bf38c5b7b8bf1537a090e0e2554ff01b > > LibClamAV debug: JS-Norm: cli_js_init() done > > LibClamAV debug: JS-Norm: in cli_js_parse_done() > > LibClamAV debug: JS-Norm: dumped/appended normalized script to: > > /tmp/clamav-bf38c5b7b8bf1537a090e0e2554ff01b/javascript > > LibClamAV debug: JS-Norm: cli_js_destroy() done > > LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 > > LibClamAV debug: FP SIGNATURE: > > 6dc368b3d0b9f8e714dd910b7bcdb602:22187:PHP.Remoteadmin-3 > > LibClamAV debug: cli_magic_scandesc: returning 1 at line 2350 > > tmp.php: PHP.Remoteadmin-3 FOUND > > > > Running clamscan on the file with the GIF header > > yields the following output: > > > > LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16) > > LibClamAV debug: cache_check: 91aea7e046e095e8f17791189436f860 is > > negative > > LibClamAV debug: Recognized GIF file > > LibClamAV debug: in cli_check_jpeg_exploit() > > LibClamAV debug: Matched signature for file type HTML data at 9 > > LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 > > LibClamAV debug: cache_add: 91aea7e046e095e8f17791189436f860 (level > 0) > > LibClamAV debug: cli_magic_scandesc: returning 0 at line 2422 > > leone.php.pjpeg-20120813131847: OK > > > > In the original file, after matching the signature > for > > an HTML file, clamscan enters 'cli_scanhtml()'. In the GIF headed > > file, it sees the GIF file, checks for exploits, then sees the HTML > > data but never enters cli_scanhtml(). > > > > Is this fixed by the commits for BB#5409? Or should I > > submit a new bugzilla report? > > > > For now, I've added an MD5 checksum to my hdb file to > > catch this specific instance, but I'd really like to get this resolved > > so that file type transitions don't cause the scan to bail out. > > > > --Maarten > > > > > > The signature in question (PHP.Remoteadmin-3) is an older one inside > main.cvd. It searches for a specific sequence anywhere in the file but > that signature is specifically marked for HTML files only. What you are > seeing in the debug log is the ClamAV matcher reporting that it found > the sequence within the GIF file and also reports the signature type > [in this case, HTML]. ClamAV is not treating the GIF file content after > the header as HTML content. It would be normalizing it and scanning for > scripts and other follow-up steps if it were. I don't think it would be > efficient to treat all graphics files as archives and scan the binary > content. If there is a related exploit, then a new or updated signature > will need to be written. > > If you are seeing this file as a part of a malware attack, then please > go to http://www.clamav.net/ and submit this as a malware sample. An > analyst may want to contact you about more details. > > Dave R. >
Thanks Dave. I took the normalized signature from the main.cvd and found the same content in the gif file and created a new, non-normalized, signature to match it instead of using the MD5 checksum. As I found the gif file in one of the directories where a customer had WordPress installed, it does look like a malware attack. Running the gif file through the php cli yielded all the HTML code to render a remote admin interface in a browser. I'll send in the file as a malware sample. --Maarten _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
