Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: users

PUA.HTML.Infected.WebPage-1

 

 

ClamAV users RSS feed   Index | Next | Previous | View Threaded


jiri.reischig at ecn

Jun 3, 2010, 4:05 AM

Post #1 of 12 (7584 views)
Permalink
PUA.HTML.Infected.WebPage-1

Hi all,

is it possible find anywhere information what "PUA.HTML.Infected.WebPage"
exactly means if it's detected in the file?

It's look like that it detects files with iframe html tag.
When yes it can detect a lot of files which it's OK and not include any "bad"
aplication or malware.

--
Jiri Reischig

Econnect
Internet provider for NGO
Puskinovo nam. 5,160 00 Praha 6, Czech Republic
Tel: +420 224 311 780
Fax: +420 224 317 892
Web: http://www.ecn.cz
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


steveb_clamav at sanesecurity

Jun 3, 2010, 5:39 AM

Post #2 of 12 (7498 views)
Permalink
Re: PUA.HTML.Infected.WebPage-1 [In reply to]

> Hi all,
>
> is it possible find anywhere information what "PUA.HTML.Infected.WebPage"
> exactly means if it's detected in the file?
>
> It's look like that it detects files with iframe html tag.
> When yes it can detect a lot of files which it's OK and not include any
> "bad"
> aplication or malware.

Hopefully this will work for you...

grep "PUA.HTML.Infected.WebPage" daily.* -h > sig.tmp
sigtool --decode-sigs < sig.tmp > decodedsig.tmp
cat decodedsig.tmp

Cheers,

Steve
Sanesecurity

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


steveb_clamav at sanesecurity

Jun 3, 2010, 5:42 AM

Post #3 of 12 (7542 views)
Permalink
Re: PUA.HTML.Infected.WebPage-1 [In reply to]

Ooops... forgot the sigtool un-pack bit (note: daily file only)

sigtool --unpack-current=daily
grep "PUA.HTML.Infected.WebPage" daily.* -h > sig.tmp
sigtool --decode-sigs < sig.tmp > decodedsig.tmp
cat decodedsig.tmp

Cheers,

Steve
Sanesecurity


_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


edwintorok at gmail

Jun 3, 2010, 5:44 AM

Post #4 of 12 (7517 views)
Permalink
Re: PUA.HTML.Infected.WebPage-1 [In reply to]

On 06/03/2010 03:42 PM, Steve Basford wrote:
> Ooops... forgot the sigtool un-pack bit (note: daily file only)
>
> sigtool --unpack-current=daily
> grep "PUA.HTML.Infected.WebPage" daily.* -h > sig.tmp
> sigtool --decode-sigs < sig.tmp > decodedsig.tmp
> cat decodedsig.tmp

You can use 'sigtool -fPUA.HTML.Infected.WebPage' to find and print the
sigs, no need to unpack.

--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


steveb_clamav at sanesecurity

Jun 3, 2010, 5:46 AM

Post #5 of 12 (7493 views)
Permalink
Re: PUA.HTML.Infected.WebPage-1 [In reply to]

> You can use 'sigtool -fPUA.HTML.Infected.WebPage' to find and print the
> sigs, no need to unpack.

Nice... thanks Edwin:

sigtool -fPUA.HTML.Infected.WebPage | sigtool --decode-sigs

:)

Cheers,

Steve
Sanesecurity

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


steveb_clamav at sanesecurity

Jun 3, 2010, 5:57 AM

Post #6 of 12 (7489 views)
Permalink
Re: PUA.HTML.Infected.WebPage-1 [In reply to]

>
> You can use 'sigtool -fPUA.HTML.Infected.WebPage' to find and print the
> sigs, no need to unpack.

Also works for:

sigtool -fSanesecurity.Phishing.Fake.13780 | sigtool --decode-sigs

Could a --database type option be added to sigtool, for loading databases
outside the normal DatabaseDirectory area from the clamd.conf file?

Cheers,

Steve
Sanesecurity

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


dennispe at inetnw

Jun 3, 2010, 6:24 AM

Post #7 of 12 (7504 views)
Permalink
Re: PUA.HTML.Infected.WebPage-1 [In reply to]

On 6/3/10 5:57 AM, Steve Basford wrote:
>>
>> You can use 'sigtool -fPUA.HTML.Infected.WebPage' to find and print the
>> sigs, no need to unpack.
>
> Also works for:
>
> sigtool -fSanesecurity.Phishing.Fake.13780 | sigtool --decode-sigs
>
> Could a --database type option be added to sigtool, for loading databases
> outside the normal DatabaseDirectory area from the clamd.conf file?
>
> Cheers,
>
> Steve
> Sanesecurity
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml

This is brute force but works:

grep -h Sanesecurity.Phishing.Fake.13780 * 2>/dev/null |sigtool --decode-sigs

dp
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


dennispe at inetnw

Jun 3, 2010, 6:34 AM

Post #8 of 12 (7483 views)
Permalink
Re: PUA.HTML.Infected.WebPage-1 [In reply to]

On 6/3/10 6:24 AM, Dennis Peterson wrote:

>
> This is brute force but works:
>
> grep -h Sanesecurity.Phishing.Fake.13780 * 2>/dev/null |sigtool
> --decode-sigs
>
> dp

It's brute force but apparently so too is the sigtool method. Grep is faster.

dp
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


jiri.reischig at ecn

Jun 3, 2010, 7:39 AM

Post #9 of 12 (7487 views)
Permalink
Re: PUA.HTML.Infected.WebPage-1 [In reply to]

Thank you all.

The command sigtool is wery useful for me.

--
Jiri Reischig

Econnect
Internet provider for NGO
Puskinovo nam. 5,160 00 Praha 6, Czech Republic
Tel: +420 224 311 780
Fax: +420 224 317 892
Web: http://www.ecn.cz

Dne Čt 3. června 2010 Steve Basford napsal(a):
> > You can use 'sigtool -fPUA.HTML.Infected.WebPage' to find and print the
> > sigs, no need to unpack.
>
> Nice... thanks Edwin:
>
> sigtool -fPUA.HTML.Infected.WebPage | sigtool --decode-sigs
>
> :)
>
> Cheers,
>
> Steve
> Sanesecurity
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


tkojm at clamav

Jun 4, 2010, 1:19 AM

Post #10 of 12 (7457 views)
Permalink
Re: PUA.HTML.Infected.WebPage-1 [In reply to]

On Thu, 3 Jun 2010 13:57:02 +0100 Steve Basford
<steveb_clamav [at] sanesecurity> wrote:

> Could a --database type option be added to sigtool, for loading databases
> outside the normal DatabaseDirectory area from the clamd.conf file?

Yep, please open a ticket in our bugzilla

--
oo ..... Tomasz Kojm <tkojm [at] clamav>
(\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg
\..........._ 0DCA5A08407D5288279DB43454822DC8985A444B
//\ /\ Fri Jun 4 10:17:08 CEST 2010
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


steveb_clamav at sanesecurity

Jun 4, 2010, 1:47 AM

Post #11 of 12 (7464 views)
Permalink
Re: PUA.HTML.Infected.WebPage-1 [In reply to]

> Yep, please open a ticket in our bugzilla

Entry added:

https://wwws.clamav.net/bugzilla/show_bug.cgi?id=2063

BTW, might be an idea to add "Sigtool" to the component options page on
Bugzilla.

Cheers,

Steve
Sanesecurity

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


webmaster at securiteinfo

Jun 10, 2010, 6:51 AM

Post #12 of 12 (7525 views)
Permalink
Re: PUA.HTML.Infected.WebPage-1 [In reply to]

Hello,

Le Thursday 03 June 2010 13:05:39 Jiri Reischig, vous avez crit:
> Hi all,
>
> is it possible find anywhere information what "PUA.HTML.Infected.WebPage"
> exactly means if it's detected in the file?
>
> It's look like that it detects files with iframe html tag.
> When yes it can detect a lot of files which it's OK and not include any
> "bad" aplication or malware.

Well, it detects iframes after the "</body></html>" lines. This is common to
defaced websites.

Best regards,

Arnaud Jacques
Consultant Scurit

Securiteinfo.com
La Scurit Informatique - La Scurit des Informations.
266, rue de Villers
60123 Bonneuil en Valois
_______________________________
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

ClamAV users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.