On Wed, 3 Sep 2014, David F. Skoll wrote:
On Wed, 03 Sep 2014 19:36:00 +0200
Axb <axb.li...@gmail.com> wrote:
I've seen a rather large number of legit msgs including links to
images in /wp-content/
I tested the rule. Lots of false-positives.
I think the FPs can be almost eliminated if we additionally insist the
URL contain ".php" somwehere after the /wp-*/ component. All the FPs I've
seen so far point to images. And since WordPress is written in PHP,
any malware dumped into a WP directory is likely to be in PHP also.
Right. That's what I'm adding to the versions I'm putting in my sandbox.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
All I could think about was this bear is so close to me I can
see its teeth. I could have kissed it. I wished I had a gun.
-- Alyson Jones-Robinson
-----------------------------------------------------------------------
14 days until the 227th anniversary of the signing of the U.S. Constitution
