[clamav-users] Hint for creating signatures
Hello, from http://www.dict.cc/englisch-deutsch/from.html time http://www.dict.cc/englisch-deutsch/time.html to time http://www.dict.cc/englisch-deutsch/time.html i create some signatures from what i found in php-code of my users. Now i found some malware that worries me. Its obfuscated php-code to execute all which was sent by POST (mostly spammails). If i unencrypt the code, so i always find the same malwarecode. But code how it can be found in php-page is always variable. samples can be found here for next 2 weeks: http://pastebin.com/9VAW8FKK What should i do now? Is there a trick to find a signature which fits for all samples or i have to create a different signature for every sample? What http://www.dict.cc/englisch-deutsch/What.html is http://www.dict.cc/englisch-deutsch/is.html your http://www.dict.cc/englisch-deutsch/your.html view http://www.dict.cc/englisch-deutsch/view.html on http://www.dict.cc/englisch-deutsch/on.html this http://www.dict.cc/englisch-deutsch/this.html subject? http://www.dict.cc/englisch-deutsch/subject%3F.html Thanks, Hajo ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Hint for creating signatures
Hello, sorry for links to my translator. I thought thunderbird is removing this when choosing pure-text-format. now it is readable: Am 08.09.2014 um 16:04 schrieb Hajo Locke: Hello, from time to time i create some signatures from what i found in php-code of my users. Now i found some malware that worries me. Its obfuscated php-code to execute all which was sent by POST (mostly spammails). If i unencrypt the code, so i always find the same malwarecode. But code how it can be found in php-page is always variable. samples can be found here for next 2 weeks: http://pastebin.com/9VAW8FKK What should i do now? Is there a trick to find a signature which fits for all samples or i have to create a different signature for every sample? What is your view on this subject? Thanks, Hajo ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Hint for creating signatures
Hajo, Would you be interested in sharing the signatures you create with the ClamAV community? If so, please check out the process here: http://blog.clamav.net/2014/02/introducing-clamav-community-signatures.html As for signatures for obfuscated PHP, it really does depend on the code you are looking at, on a case-by-case basis. - Alain On Mon, Sep 8, 2014 at 10:04 AM, Hajo Locke hajo.lo...@gmx.de wrote: Hello, from http://www.dict.cc/englisch-deutsch/from.html time http://www.dict.cc/englisch-deutsch/time.html to time http://www.dict.cc/englisch-deutsch/time.html i create some signatures from what i found in php-code of my users. Now i found some malware that worries me. Its obfuscated php-code to execute all which was sent by POST (mostly spammails). If i unencrypt the code, so i always find the same malwarecode. But code how it can be found in php-page is always variable. samples can be found here for next 2 weeks: http://pastebin.com/9VAW8FKK What should i do now? Is there a trick to find a signature which fits for all samples or i have to create a different signature for every sample? What http://www.dict.cc/englisch-deutsch/What.html is http://www.dict.cc/englisch-deutsch/is.html your http://www.dict.cc/englisch-deutsch/your.html view http://www.dict.cc/englisch-deutsch/view.html on http://www.dict.cc/englisch-deutsch/on.html this http://www.dict.cc/englisch-deutsch/this.html subject? http://www.dict.cc/englisch-deutsch/subject%3F.html Thanks, Hajo ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Fwd: Re: clamav-milter: Failed to create temporary file
Hi,
the patched version of clamav-milter is running since 5 days without problems.
I can confirm that your patch solved the problem.
Thanks and regards
Urban Loesch
Original-Nachricht
Betreff: Re: [clamav-users] clamav-milter: Failed to create temporary file
Datum: Thu, 04 Sep 2014 15:21:00 +0200
Von: Urban Loesch b...@enas.net
An: Steven Morgan smor...@sourcefire.com, J. David Rye
d@roadtech.co.uk
Kopie (CC): Shawn Webb (shawebb) shaw...@cisco.com
Hi,
I installed the patch on one of my servers where it happens.
Now I have to wait some days, because to me it does not happen very frequently.
I let you know the result.
Many thanks
Urban
Am 04.09.2014 00:57, schrieb Steven Morgan:
Hi,
We may have an answer. Is it possible try the following patch and see if it
fixes the problem?
Thanks,
Steve
--- a/clamav-milter/clamav-milter.c
+++ b/clamav-milter/clamav-milter.c
@@ -56,6 +56,8 @@ int main(int argc, char **argv) {
mode_t umsk;
int ret;
+cl_initialize_crypto();
+
memset(descr, 0, sizeof(struct smfiDesc));
descr.xxfi_name = ClamAV;/* filter name */
descr.xxfi_version = SMFI_VERSION; /* milter version */
On Tue, Sep 2, 2014 at 6:12 PM, Steven Morgan smor...@sourcefire.com
mailto:smor...@sourcefire.com wrote:
Hi J. David,
Thanks for the additional analysis and information. I've been looking at
this for a bit today. I have opened a ticket in the ClamAV bugzilla
system to track the issue. The ticket number is 11089. Hope to have an
answer soon.
Steve
On Sun, Aug 31, 2014 at 5:52 AM, J. David Rye d@roadtech.co.uk
mailto:d@roadtech.co.uk wrote:
On Thu, 2014-08-21 at 19:22 -0400, Steven Morgan wrote:
Hi Urban,
I took a look at this code. The real problem is the inability to
create a
temporary file. The second message just results from the return code
of the
function that attempts to create the temp file. We need to find out
why the
temp file creation fails. There should also be a clamav error
message
written from: cli_errmsg(cli_gentempfd: Can't create temporary
file
%s:
%s\n, *name, strerror(errno)); Can you find this message?
Otherwise, it is a memory allocation failure for space for the temp
file
name, which seems unlikely.
Steve
I am also seeing this issue. Mostly intermitant but see further down.
cli_errmsg wont work if clamav-milter has daemonezed.
it only writes to STDERR and the function daemonize closes standard
error even if you recompile with CL_DEBUG set.
Only way to get is to get the error messages from cli_gentempfd seams
to be to uncomment the line
#Foreground yes
In clamav-milter.conf, then run in foreground from command line.
As an aside I wonder why cli_gentempfd does not use the function
logg()
and output to file or syslog depending on configuration file.
I am running clamav-milter on a VM. OS is CentoOS 6.5
VM has 4 vcpu, and 2GB RAM
clamav-milter is version 0.98.4-1.el6.rf installed from rpmforge
repository.
Looking at he logs if time stamps in syslog for calls to clamav-milter
are two seconds or more apart the problem never shows.
However if 4 or more messages arrive in two seconds problem always
shows
up, the failure to create temp file is usually time stamped 2 seconds
after the first message in the burst that triggered it.
On a sustained burst of traffic pretty much all the messages trip the
issue.
In a 1 hour period last week when I had a lot of messages due to a
different issue. I had 20,000 temp file failures, and 23 messages
delivered.
[root@mailhost-c6 etc]# clamav-milter
--config-file=/etc/clamav-milter.conf.foreground
Local socket unix:/var/run/clamav/clamd.sock added to the pool (slot
1)
Probe for slot 1 returned: success
LibClamAV Error: cli_gentempfd: Can't create temporary
file /tmp/clamav-626683ff3a00.tmp: File exists
ERROR: Failed to create temporary file
ERROR: Failed to initiate streaming/fdpassing
LibClamAV Error: cli_gentempfd: Can't create temporary
file /tmp/clamav-626683ff3a00.tmp: File exists
ERROR: Failed to create temporary file
ERROR: Failed to initiate streaming/fdpassing
LibClamAV Error: cli_gentempfd: Can't create temporary
file /tmp/clamav-626683ff3a00.tmp: File exists
ERROR: Failed to create temporary file
ERROR: Failed to initiate streaming/fdpassing
Re: [clamav-users] Hint for creating signatures
On Mon, September 8, 2014 3:04 pm, Hajo Locke wrote:
What should i do now? Is there a trick to find a signature which fits
for all samples or i have to create a different signature for every
sample?
Hi,
Tricky :(
Copy this into@ not_tested.ndb
test.ercynpr:7:*:3D7374725F726F74313328??636572745F657263796E7072??293B2024
test.cryptbot:7:*:3D22{12}225E22{40}3B2024
You might have to change :3: to :7: to make it work...
Disclaimer: not had enough coffee, so not fully tested etc.
Cheers,
Steve
Sanesecurity.com
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Re: [clamav-users] Hint for creating signatures
Because plugin developers do nutty things, I'd probably combine the two
into a single signature to reduce possible false positives, but other than
that it looks like those. I've seen non-malicious CMS plugins that use
similar obfuscation techniques, though I'm certainly willing to use these
as is and see how many false positives I get.
--Maarten
On Mon, Sep 8, 2014 at 10:58 AM, Steve Basford
steveb_cla...@sanesecurity.com wrote:
On Mon, September 8, 2014 3:04 pm, Hajo Locke wrote:
What should i do now? Is there a trick to find a signature which fits
for all samples or i have to create a different signature for every
sample?
Hi,
Tricky :(
Copy this into@ not_tested.ndb
test.ercynpr:7:*:3D7374725F726F74313328??636572745F657263796E7072??293B2024
test.cryptbot:7:*:3D22{12}225E22{40}3B2024
You might have to change :3: to :7: to make it work...
Disclaimer: not had enough coffee, so not fully tested etc.
Cheers,
Steve
Sanesecurity.com
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
--
Maarten Broekman
Endurance International Group
vDeck Senior Linux Systems Administrator / PCI ISA
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
