Hello,
sorry for links to my translator. I thought thunderbird is removing this
when choosing pure-text-format.
now it is readable:
Am 08.09.2014 um 16:04 schrieb Hajo Locke:
Hello,
from time to time i create some signatures from what i found in
php-code of my users.
Now i found some malware that worries me. Its obfuscated php-code to
execute all which was sent by POST (mostly spammails). If i unencrypt
the code, so i always find the same malwarecode. But code how it can
be found in php-page is always variable.
samples can be found here for next 2 weeks: http://pastebin.com/9VAW8FKK
What should i do now? Is there a trick to find a signature which fits
for all samples or i have to create a different signature for every
sample?
What is your view on this subject?
Thanks,
Hajo
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
