« previous next »
Pages: [1]   Go Down

Author Topic: Here Avast is one of the few to detect!  (Read 1420 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33903
  • malware fighter
Here Avast is one of the few to detect!
« on: August 04, 2015, 05:50:20 PM »
p(nil):   PHP.Flooder.A   ARIN   US   ipabusereport2 at liquidnetlimited dot com   162.210.101.98    to 162.210.101.98   50webs dot com    htxp://belakshell.50webs.com/function.php?act=phptools
See: https://www.virustotal.com/nl/url/2ff244e5489a1e4857ef08411d961f8eb92e67cacd80cfdb5e08040c5f874cce/analysis/1438703264/
and Avast detects: https://www.virustotal.com/nl/file/2e45374a6122e9c704e8fbac128b0b3eb3c379f42dede03f302f9363c89c6439/analysis/1373880838/ as PHP:Flooder-A [Trj]  only one of four to detect  :)

polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37533
  • Not a avast user
Re: Here Avast is one of the few to detect!
« Reply #1 on: August 04, 2015, 06:09:17 PM »
that file scan is old  Analysis date:   2013-07-15 09:33:58 UTC ( 2 years ago )

however a fresh scan  2015-08-04 16:06:25 UTC ( 0 minutes ago )
https://www.virustotal.com/en/file/2e45374a6122e9c704e8fbac128b0b3eb3c379f42dede03f302f9363c89c6439/analysis/1438704385/

strange it is still there after 2 years ... and only change is detection from two AV engines


« Last Edit: August 04, 2015, 06:15:44 PM by Pondus »
Logged

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37533
  • Not a avast user
Re: Here Avast is one of the few to detect!
« Reply #2 on: August 05, 2015, 09:12:18 AM »
Norman/BlueCoat confirms detection and added as function.php > Flooder.FD

Logged

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33903
  • malware fighter
Re: Here Avast is one of the few to detect!
« Reply #3 on: August 05, 2015, 11:46:24 AM »
Hi Pondus,

Protection for websites against this can be found by using a token to validate the source of the flooding coming from that origin and not a malicious attacker. Important is the fact to invalidate the valid token once it has been used, how this is done can be read here (also all info credits go there of course): http://stackoverflow.com/questions/3026640/quick-and-easy-flood-protection
See: http://v.virscan.org/PHP/Flooder.Agent.NAA%20virus.html
Also read what Tony Perez has to say here: https://blog.sucuri.net/2011/10/remove-unsused-testing-debug-software-from-your-site.html
Quote
The PHP “base64_decode” function is more popular in attacks, because it allows the hacker to encrypt malicious coding statements. The “base64_decode” function decrypts the code upon execution, so it is only seen when the code is opened in a web browser. This PHP function is typically used to include hidden links to malicious websites. Usually, the hacker places the malicious code several lines below the main content, so the webmaster misses the statements. Make sure you scroll all the way to the bottom to find the malicious statements. The following code is a random example of a PHP hack you can find on hacked web pages:

eval(base64_decode($_SERVER57F))%32%5E|.+)

All of the code after the “_SERVER” statement is encrypted code. In this instance, you must delete the entire line of code to remove the hack.
  Quote taken from SiteLock Word Press Blog.

polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!
Pages: [1]   Go Up
« previous next »