> > A hostname cannot be all digits and except when the IP is used there > will be a TLD, so if you see a pattern such as > > http:// 123456789/ cgi-bin/innocent_code.pl > > (Ignore the spaces they are there to let this post slip by most antispam > detection) then you can surmise it is an attempt at obfuscation.
I don't get it, what's the pattern we're looking for? An IP address is a number. Any way you specify it is fine. 123456789 is no more obfuscated than whatever it would be if you converted it to dotted quad. They both represent the same number. If you're trying to match a text pattern against an integer, you're doing it wrong. _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml