Not sure if I'm allowed to upload stuff here, but to follow up on this, I've attached a zip containing the original decoded infection php code, the infection in its natural state (doubly base64 encoded), definitions that match it, and other nfo like a simple script that can clean the infection without damaging php files its been injected into (with sed + regex).
On Sat, Feb 6, 2016 at 7:19 PM, Jesse Nicholson <ascensionsyst...@gmail.com> wrote: > @ant indeed, this is what I'm doing. Original server is gone, new server > was built from the ground up but the xferred required user files (web root) > is quarantined while I go through it and lean up. There's a really nasty > php injection that appears to intercept, proxy requests to various IPs that > come from control server(s), attempts to download new viruses and such to > your configured temp upload directory and then inject them into responses > and such. I've made a definition that works very well, and have uncovered > nearly 300 infected files using that sig. Other root shells were also > present, but existing definitions cleaned them up. > > Was curious because I'd like to submit the definition in case it helps, so > far I've only submitted one sample of the infection as found in the wild > and a second file (both zipped) of the decoded main function group. > > @Al Yep I subscribed to the db list. MD5 is 92 3b 61 7b a7 9a da 3b 04 e7 > ba d7 a4 d7 04 74 > > The infection has many things in common with the one posted here: > http://stackoverflow.com/q/22647441 > > On Sat, Feb 6, 2016 at 7:05 PM, Crap <c...@the-tiddler.co.uk> wrote: > >> > I'm cleaning a server >> > that got badly infected, >> >> I know this doesn't answer the OP, but destroy the server and treat all >> data as compromised. >> Rebuild for a fresh trusted base and attempt to clean the data away from >> the original server.. >> >> -- ant >> >> > On 6 Feb 2016, at 23:41, Jesse Nicholson <ascensionsyst...@gmail.com> >> wrote: >> > >> > Where/how can I check on the status of a submission? I'm cleaning a >> server >> > that got badly infected, and while doing so discovered what I believe >> to be >> > a PHP exploit that maldet and clamav don't have definitions for. >> Virustotal >> > also has 0 hits on it. However, I'm sure it's malicious because the main >> > function block is double base 64 encoded, everything else that interacts >> > with it is salted and random. Decoding the main function block, there >> > appears to functions to compress local files and xfer them to unknown >> > locations. >> > >> > Anyway I've successfully created a definition for it, have nearly 300 >> hits >> > and am curious about following up after I've submitted one sample via >> the >> > website. Never done anything like this before, so looking for >> > guidance/advice. >> > >> > -- >> > Jesse Nicholson >> > _______________________________________________ >> > Help us build a comprehensive ClamAV guide: >> > https://github.com/vrtadmin/clamav-faq >> > >> > http://www.clamav.net/contact.html#ml >> _______________________________________________ >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml >> > > > > -- > Jesse Nicholson > -- Jesse Nicholson _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
