On 9/18/11 6:41 PM, Michael Orlitzky wrote:
On 09/16/11 11:53, G.W. Haywood wrote:
The string "11064393" concatenated after the string "95." is converted
without fuss by browsers to the IP address of the criminal server.
I use most of the third party databases available for ClamAV. Using
clamscan I scanned the text in its original form and it wasn't flagged
as suspect.
Is this one for Mr. Basford, or does it have wider implications?
Despite an hour or so of trying I haven't thought of a legitimate
reason for obfuscating an IP address in this way.
An IP address is a number between 0 and 2^32 (more or less). There are
plenty of ways to represent them. Who's to say which ones are obfuscated?
A hostname cannot be all digits and except when the IP is used there will be a
TLD, so if you see a pattern such as
http:// 123456789/ cgi-bin/innocent_code.pl
(Ignore the spaces they are there to let this post slip by most antispam
detection) then you can surmise it is an attempt at obfuscation.
dp
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
