@ant indeed, this is what I'm doing. Original server is gone, new server was built from the ground up but the xferred required user files (web root) is quarantined while I go through it and lean up. There's a really nasty php injection that appears to intercept, proxy requests to various IPs that come from control server(s), attempts to download new viruses and such to your configured temp upload directory and then inject them into responses and such. I've made a definition that works very well, and have uncovered nearly 300 infected files using that sig. Other root shells were also present, but existing definitions cleaned them up.
Was curious because I'd like to submit the definition in case it helps, so far I've only submitted one sample of the infection as found in the wild and a second file (both zipped) of the decoded main function group. @Al Yep I subscribed to the db list. MD5 is 92 3b 61 7b a7 9a da 3b 04 e7 ba d7 a4 d7 04 74 The infection has many things in common with the one posted here: http://stackoverflow.com/q/22647441 On Sat, Feb 6, 2016 at 7:05 PM, Crap <c...@the-tiddler.co.uk> wrote: > > I'm cleaning a server > > that got badly infected, > > I know this doesn't answer the OP, but destroy the server and treat all > data as compromised. > Rebuild for a fresh trusted base and attempt to clean the data away from > the original server.. > > -- ant > > > On 6 Feb 2016, at 23:41, Jesse Nicholson <ascensionsyst...@gmail.com> > wrote: > > > > Where/how can I check on the status of a submission? I'm cleaning a > server > > that got badly infected, and while doing so discovered what I believe to > be > > a PHP exploit that maldet and clamav don't have definitions for. > Virustotal > > also has 0 hits on it. However, I'm sure it's malicious because the main > > function block is double base 64 encoded, everything else that interacts > > with it is salted and random. Decoding the main function block, there > > appears to functions to compress local files and xfer them to unknown > > locations. > > > > Anyway I've successfully created a definition for it, have nearly 300 > hits > > and am curious about following up after I've submitted one sample via the > > website. Never done anything like this before, so looking for > > guidance/advice. > > > > -- > > Jesse Nicholson > > _______________________________________________ > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > -- Jesse Nicholson _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
