WEB False positive?

Discussion in 'OT Technology' started by Browning, Jul 5, 2009.

  1. Browning

    Browning Active Member

    Joined:
    Feb 14, 2005
    Messages:
    89,463
    Likes Received:
    10
    So there's a couple wordpress themes that I downloaded earlier and when I run them through virus total ClamAV detects PUA.Script.Obfus.

    Found this in the footer:
    Code:
    <?php $_F=__FILE__;$_X='Pz4JPGQ0diA0ZD0iZjIydDVyIj4NCgkJRDVzNGduIGJ5IDwxIGhyNWY9Imh0dHA6Ly93d3cuSjFja1oxcC5DMm0iIHQ0dGw1PSJKMWNrejFwIC0gRDE0bHkgTjV3cyBTdDJyNDVzIj5KMWNrejFwIC0gRDE0bHkgTjV3cyBTdDJyNDVzPC8xPiANCgk8L2Q0dj4NCjwvZDR2PjwvZDR2PjwvZDR2Pg0KPC9iMmR5Pg0KPC9odG1sPg==';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));?>
    Scanning all files individually now to see if anything gets detected in them. It's no biggie if it's only in the footer file as I can steal that from the demo footer.

    How can I find out if this is anything to worry about or just a false positive?

    edit-Only in the footer on this one. deleted it, scanned and it's clean.
     
  2. Pepsi1975

    Pepsi1975 Mod of the Year

    Joined:
    Jan 6, 2005
    Messages:
    47,590
    Likes Received:
    1
    Location:
    Detroit
    most of the time I never leave the footer from free ones, they always have garbage in them like that
     
  3. 07

    07 18-1

    Joined:
    Jun 26, 2006
    Messages:
    4,933
    Likes Received:
    0

    yea, lots of shit lolla like that. Delete, replace footer code, and look through the other files for anything that corresponds to that... usually, i find them in the functions file, if they do have anything with it...
     
  4. Pepsi1975

    Pepsi1975 Mod of the Year

    Joined:
    Jan 6, 2005
    Messages:
    47,590
    Likes Received:
    1
    Location:
    Detroit
    yeah i forgot about that, i had one that had a script that could tell the footer was changed :rofl:

    and i got a pop up on the site saying if i wanted to remove the popup to replace the footer lol

    i just killed off the place where it called the script into play and all was good on it :rofl:
     

Share This Page