diff --git a/README.md b/README.md index 1f4207b..4ef8f34 100644 --- a/README.md +++ b/README.md @@ -32,6 +32,7 @@ Usage: php scan.php -d -t --time Show time of last file change -L --line-number Display matching pattern line number in file -o --output-format Custom defined output format + -j --wordpress-version Version of wordpress to get md5 signatures ``` Ignore argument could be used multiple times and accept glob style matching ex.: "`cache*`", "`??-cache.php`" or "`/cache`" etc. @@ -70,6 +71,15 @@ Whitelisting See [whitelist.txt](https://github.com/scr34m/php-malware-scanner/blob/master/whitelist.txt) file for a predefined MD5 hash list. Only the first 32 characters are used, rest of the line ignored so feel free to leave a comment. +Wordpress md5 sum whitelisting +------------- +You can automatically add md5sum from wordpress core files by specifing version as argument to --wordpress-version or -j. +Example: +``` +scan -d . -j 4.9.2 +``` +That will automatically get md5sums from wordpress api (https://api.wordpress.org/core/checksums/1.0/?version=x.x.x) and add it to whitelist. To check your version simply check wp-includes/version.php file of your wordpress + Tools ----- diff --git a/scan.php b/scan.php index 6656ceb..d654b8c 100644 --- a/scan.php +++ b/scan.php @@ -177,12 +177,28 @@ class MalwareScanner } } + private function addWordpressChecksums($wp_version) { + $apiurl = 'https://api.wordpress.org/core/checksums/1.0/?version=' . $wp_version; + $json = json_decode ( file_get_contents ( $apiurl ) ); + $checksums = $json->checksums; + + if ($checksums->$wp_version == false) { #no checksum returned + $this->error('Cannot load wordpress checksums from: '.$apiurl); + exit(-1); + } + + foreach( $checksums->$wp_version as $file => $checksum ) { + $this->whitelist[] = $checksum; + + } + } + //Handles the getopt() function call, sets attributes according to flags. //All flag handling stuff should be setup here. private function parseArgs() { $options = getopt( - 'd:e:i:o:abmcxlhkwnsptL', + 'd:e:i:o:abmcxlhkwnsptLj:', array( 'directory:', 'extension:', @@ -201,7 +217,8 @@ class MalwareScanner 'pattern', 'time', 'line-number', - 'output-format:' + 'output-format:', + 'wordpress-version:' ) ); @@ -270,10 +287,15 @@ class MalwareScanner if (isset($options['line-number']) || isset($options['L'])) { $this->setFlagLineNumber(true); } + if (isset($options['output-format']) || isset($options['o'])) { $tmp = isset($options['output-format']) ? $options['output-format'] : $options['o']; $this->setOutputFormat(is_array($tmp) ? $tmp : array($tmp)); } + if (isset($options['wordpress-version']) || isset($options['j'])) { + $tmp = isset($options['wordpress-version']) ? $options['wordpress-version'] : $options['j']; + $this->addWordpressChecksums($tmp); + } } public function setExtensions(array $a) @@ -646,24 +668,26 @@ class MalwareScanner private function showHelp() { echo 'Usage: php scan.php -d ' . PHP_EOL; - echo ' -h --help Show this help message' . PHP_EOL; - echo ' -d --directory Directory for searching' . PHP_EOL; - echo ' -e --extension File Extension to Scan, can be used multiple times' . PHP_EOL; - echo ' -i --ignore Directory of file to ignore' . PHP_EOL; - echo ' -a --all-output Enables --checksum,--comment,--pattern,--time' . PHP_EOL; - echo ' -b --base64 Scan for base64 encoded PHP keywords' . PHP_EOL; - echo ' -m --checksum Display MD5 Hash/Checksum of file' . PHP_EOL; - echo ' -c --comment Display comments for matched patterns' . PHP_EOL; - echo ' -x --extra-check Adds GoogleBot and htaccess to Scan List' . PHP_EOL; - echo ' -l --follow-symlink Follow symlinked directories' . PHP_EOL; - echo ' -k --hide-ok Hide results with \'OK\' status' . PHP_EOL; - echo ' -w --hide-whitelist Hide results with \'WL\' status' . PHP_EOL; - echo ' -n --no-color Disable color mode' . PHP_EOL; - echo ' -s --no-stop Continue scanning file after first hit' . PHP_EOL; - echo ' -p --pattern Show Patterns next to the file name' . PHP_EOL; - echo ' -t --time Show time of last file change' . PHP_EOL; - echo ' -L --line-number Display matching pattern line number in file' . PHP_EOL; - echo ' -o --output-format Custom defined output format' . PHP_EOL; + echo ' -h --help Show this help message' . PHP_EOL; + echo ' -d --directory Directory for searching' . PHP_EOL; + echo ' -e --extension File Extension to Scan, can be used multiple times' . PHP_EOL; + echo ' -i --ignore Directory of file to ignore' . PHP_EOL; + echo ' -a --all-output Enables --checksum,--comment,--pattern,--time' . PHP_EOL; + echo ' -b --base64 Scan for base64 encoded PHP keywords' . PHP_EOL; + echo ' -m --checksum Display MD5 Hash/Checksum of file' . PHP_EOL; + echo ' -c --comment Display comments for matched patterns' . PHP_EOL; + echo ' -x --extra-check Adds GoogleBot and htaccess to Scan List' . PHP_EOL; + echo ' -l --follow-symlink Follow symlinked directories' . PHP_EOL; + echo ' -k --hide-ok Hide results with \'OK\' status' . PHP_EOL; + echo ' -w --hide-whitelist Hide results with \'WL\' status' . PHP_EOL; + echo ' -n --no-color Disable color mode' . PHP_EOL; + echo ' -s --no-stop Continue scanning file after first hit' . PHP_EOL; + echo ' -p --pattern Show Patterns next to the file name' . PHP_EOL; + echo ' -t --time Show time of last file change' . PHP_EOL; + echo ' -L --line-number Display matching pattern line number in file' . PHP_EOL; + echo ' -o --output-format Custom defined output format' . PHP_EOL; + echo ' -j --wordpress-version Version of wordpress to get md5 signatures' . PHP_EOL; + } }