On 09/16/11 11:53, G.W. Haywood wrote: > > The string "11064393" concatenated after the string "95." is converted > without fuss by browsers to the IP address of the criminal server. > > I use most of the third party databases available for ClamAV. Using > clamscan I scanned the text in its original form and it wasn't flagged > as suspect. > > Is this one for Mr. Basford, or does it have wider implications? > Despite an hour or so of trying I haven't thought of a legitimate > reason for obfuscating an IP address in this way. >
An IP address is a number between 0 and 2^32 (more or less). There are plenty of ways to represent them. Who's to say which ones are obfuscated? The decimal form is more efficient than the typical dotted-quad, which is easier to remember. You have to convert either to binary to figure out what a bitmask is going to do to it. _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
