Avast community forum
Home
Help
Search
Login
Register
Avast WEBforum
»
Other
»
Viruses and worms
(Moderators:
Maxx_original
,
misak
) »
malware message IDS alert & avast detects as PHP:Agent-LY [Trj]
« previous
next »
Print
Pages: [
1
]
Go Down
Author
Topic: malware message IDS alert & avast detects as PHP:Agent-LY [Trj] (Read 5754 times)
0 Members and 1 Guest are viewing this topic.
polonus
Avast Überevangelist
Probably Bot
Posts: 33891
malware fighter
malware message IDS alert & avast detects as PHP:Agent-LY [Trj]
«
on:
February 21, 2013, 11:17:25 PM »
Snort rule: INDICATOR-OBFUSCATION GIF header with PHP tags - likely malicious
Found here:
https://www.virustotal.com/nb/url/785e6b2dd2dcccb573c447bcb65e658ac3ad1e5fc3bab2ae15078fbd7a17e11c/analysis/
Detection:
https://www.virustotal.com/nb/file/53e480ddf921a44851bf6341b32be02cdf596e86b5095806b681a70e46a49fd5/analysis/1361215739/
File could not safely being scanned with a file viewer.
See:
http://www.urlvoid.com/scan/flickr.com.3sblog.com.ar/
and various others in search results from:
http://www.google.com/search?client=flock&channel=fds&q=INDICATOR-OBFUSCATION+GIF+header+with+PHP+tags+-+likely+malicious&ie=utf-8&oe=utf-8&aq=t
Good we have detection for this image GIF file with names like bad.php, kikok.php, antisux.php
Latter see:
http://62.249.178.200/report.php?id=779000
slightly different variant. Reported on this earlier here:
http://forum.avast.com/index.php?topic=100147.0
polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.
Use NoScript, a limited user account and a virtual machine and be safe(r)!
Pondus
Probably Bot
Posts: 37505
Not a avast user
Re: malware message IDS alert & avast detects as PHP:Agent-LY [Trj]
«
Reply #1 on:
February 21, 2013, 11:29:36 PM »
First seen by VirusTotal
2012-11-23 22:30:15 UTC ( 2 måneder, 4 uker ago )
hmmm... and still only 20 detect
Logged
polonus
Avast Überevangelist
Probably Bot
Posts: 33891
malware fighter
Re: malware message IDS alert & avast detects as PHP:Agent-LY [Trj]
«
Reply #2 on:
February 21, 2013, 11:50:45 PM »
Hi Pondus,
Do not worry as avast has this detected:
https://www.virustotal.com/nb/url/ae0992439b06e6983e137891d9cc65527885bf8ad6959f69e98f6e708213366f/analysis/
Just look here:
https://www.virustotal.com/nb/file/4b395f367ff0511c5cd9520ab517789547e99a73f7c375907c4137dd67b66dac/analysis/1357870255/
re:
http://urlquery.net/report.php?id=674288
avast detects as PHP:Agent-MU [Trj]
polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.
Use NoScript, a limited user account and a virtual machine and be safe(r)!
Pondus
Probably Bot
Posts: 37505
Not a avast user
Re: malware message IDS alert & avast detects as PHP:Agent-LY [Trj]
«
Reply #3 on:
February 22, 2013, 12:23:02 AM »
That URL is taken down
http://www.downforeveryoneorjustme.com/http://picasa.com.corporategifts.ro/antisux.php
Logged
polonus
Avast Überevangelist
Probably Bot
Posts: 33891
malware fighter
Re: malware message IDS alert & avast detects as PHP:Agent-LY [Trj]
«
Reply #4 on:
February 22, 2013, 12:59:02 AM »
This one is up:
http://urlquery.net/report.php?id=1065207
with the cgi script in the top 100 - bad visitor,
and another one with pagat.php:
http://urlquery.net/report.php?id=907769
INDICATOR-OBFUSCATION GIF header with PHP tags - likely malicious
threat identified as: PHP.Hide. Sucuri blacklisted site -> site blacklisted for being used to distribute malware,
htxp://picasa.com.polonews.com.br/ not detected by avast, download of pagat.php via index of/ possible...
polonus
«
Last Edit: February 22, 2013, 01:10:29 AM by polonus
»
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.
Use NoScript, a limited user account and a virtual machine and be safe(r)!
Pondus
Probably Bot
Posts: 37505
Not a avast user
Re: malware message IDS alert & avast detects as PHP:Agent-LY [Trj]
«
Reply #5 on:
February 22, 2013, 01:17:46 AM »
VirusTotal
https://www.virustotal.com/en/file/21b2a354d1b5b377972d39c5a39f9c998092fe4469ad09c0098bc5b2e7a3bf8c/analysis/1361492233/
virustotal
https://www.virustotal.com/en/file/b54da75456601b17df484a9282459f35bd4125aa1a8d31750550414799587e5d/analysis/1361492509/
«
Last Edit: February 22, 2013, 01:23:21 AM by Pondus
»
Logged
Print
Pages: [
1
]
Go Up
« previous
next »
Avast WEBforum
»
Other
»
Viruses and worms
(Moderators:
Maxx_original
,
misak
) »
malware message IDS alert & avast detects as PHP:Agent-LY [Trj]