Re: [tlug] Clamav reports a virus: Exploit.Gif.PHPembedded

["Hung Nguyen Vu" <vuhung16plus+shape@example.com>]

On Thu, Jun 5, 2008 at 2:40 PM, Edmund Edgar <lists@example.com> wrote:
>
> What you've got there is a JPEG image with some PHP code in the
> comment field. (In this case not very harmful in itself - I think this
> is just intended as proof of concept or something:)
> <?php system('ls -la'); ?>
The POC will work under some circumstances.
I think I can craft a snip of PHP code that makes the POC working :).

>
> Since it contains valid PHP code, and PHP just prints anything outside
> the brackets, that PHP code will run on your system if you tell PHP to
> execute the file.
What do you mean by "execute the file"?
PHP can not execute the file, IIRC. All PHP Exif APIs can do is that read
JPEG's comment, and if we want, print it out. So if we just print/echo
the comment,
the malicious code will be executed by PHP.

Btw, I got this file from a forensic.
If you want to see other backdoors, botnets and PHP code that is used as 踏み台
in the hack, you can get it here:
http://vcsj.net/nodes/show/2434

--
Best Regards,
Nguyen Hung Vu ( Nguyễn Vũ Hưng )
vuhung16plus{remove}@example.com , YIM: vuhung16
Japan through an eye of a gaijin:
http://www.flickr.com/photos/vuhung/tags/fav/