Re: PHP eval()'d code

Mon, 30 May 2016 12:37:52 -0700 

On Mon, 30 May 2016, Reindl Harald wrote:




Am 30.05.2016 um 01:20 schrieb John Hardin:

 On Sun, 29 May 2016, Reindl Harald wrote:
>  Am 29.05.2016 um 23:38 schrieb John Hardin:
> >   On Thu, 26 May 2016, RW wrote:

> > 
> > >   I noticed that Bayes is picking-up on very strong tokens from

> >  "eval" and
> > >   "code" in headers like this:
> > > >     X-PHP-Originating-Script: 1013:global.php(1938) : eval()'d code
> > > >   The "eval()'d code" part is in just over 2% of my spam, but it's
> > >   never occurred in a single ham in my corpus.

> > 
> >   It doesn't do too well in masscheck:
> > 
> >   http://ruleqa.spamassassin.org/20160528-r1745852-n/__PHP_ORIG_SCRIPT_EVAL/detail
> 
>  where is the rule?


 
https://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf

>  if masscheck pretends that this hits a relevant amount of ham

 It doesn't. 3 out of 139k.


so what did you want to say with "It doesn't do too well in masscheck"



Few hits (either spam or ham) relative to the overall corpora (less than 
6/10 of a percent for either), and the S/O isn't that good (.73).



>  while we see 250 sampls *at all* with a "X-PHP-Originating-Script"

 Here is the basic "header exists" rule for that same masscheck run:

 http://ruleqa.spamassassin.org/20160528-r1745852-n/__HAS_PHP_ORIG_SCRIPT/detail



i see there a lot of stuff but not the rule source itself but that is only 
"has that header" i guess



The rule source for both is in the SVN link posted above. The __HAS rule 
is a basic rule for "does the header exist?". The other rule is the latest 
change in the history:


https://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?r1=1741551&r2=1745822&diff_format=h


header    CUST_PHP_EVAL         X-PHP-Originating-Script =~ /eval\(\)\'d code/
score     CUST_PHP_EVAL         1.5
describe  CUST_PHP_EVAL         Looks like from exploited webserver


 It hits 1595 spam and 1972 ham. Where are you getting only 250 hits for
 that header?


in our corpus containg 90000 eml files



OK. My apologies, when you said "we see" I thought you were referring to 
the masscheck results, not your local results.


--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhar...@impsec.org    FALaholic #11174     pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  The ["assault weapons"] ban is the moral equivalent of banning red
  cars because they look too fast.  -- Steve Chapman, Chicago Tribune
-----------------------------------------------------------------------
 Today: Memorial Day - honor those who sacrificed for our liberty






















					Reply via email to