I'm getting the same alerts on multiple Linux servers. Mostly on tar.gz files which have been created a long time ago and have not been changed since (no tripwire alerts).
When I unpack the tarballs and scan the content I don't get any alter. Al Varnell wrote: > Daily 15462 today contained the following: > > Submission-ID: 53018933 > Sender: Anonymous > Added: PHP.Exploit.CVE_2011_4153-2 > > A ClamXav user reported that a scan of his hard drive reported the following > file to be infected: > > /usr/lib/php/install-pear-nozlib.phar > > This file appears to be a shell script to install the PHP Extension and > Application Repository (PEAR) described by WikipediA @ > <http://en.wikipedia.org/wiki/PEAR> and is also available @ > <http://en.wikipedia.org/wiki/PEAR>. > > I've verified with several users now that this seems to have been part of > every OS X distribution since version 10.6.x. > > I have submitted it as a False Positive earlier today and expect the > signature team will resolve it shortly. > > > > -Al- > -- TyrannoDouwes, Rex jabber: arthur.dou...@gmail.com _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
