mirror of
https://github.com/scr34m/php-malware-scanner.git
synced 2026-06-16 12:30:35 +00:00
Merge pull request #34 from marek-knappe/wordpress-whitelist
Added wordpress files md5sum whitelisting
This commit is contained in:
Győrvári Gábor
10
README.md
10
README.md
@@ -32,6 +32,7 @@ Usage: php scan.php -d <directory>
|
|||||||
-t --time Show time of last file change
|
-t --time Show time of last file change
|
||||||
-L --line-number Display matching pattern line number in file
|
-L --line-number Display matching pattern line number in file
|
||||||
-o --output-format Custom defined output format
|
-o --output-format Custom defined output format
|
||||||
|
-j --wordpress-version Version of wordpress to get md5 signatures
|
||||||
```
|
```
|
||||||
|
|
||||||
Ignore argument could be used multiple times and accept glob style matching ex.: "`cache*`", "`??-cache.php`" or "`/cache`" etc.
|
Ignore argument could be used multiple times and accept glob style matching ex.: "`cache*`", "`??-cache.php`" or "`/cache`" etc.
|
||||||
@@ -70,6 +71,15 @@ Whitelisting
|
|||||||
|
|
||||||
See [whitelist.txt](https://github.com/scr34m/php-malware-scanner/blob/master/whitelist.txt) file for a predefined MD5 hash list. Only the first 32 characters are used, rest of the line ignored so feel free to leave a comment.
|
See [whitelist.txt](https://github.com/scr34m/php-malware-scanner/blob/master/whitelist.txt) file for a predefined MD5 hash list. Only the first 32 characters are used, rest of the line ignored so feel free to leave a comment.
|
||||||
|
|
||||||
|
Wordpress md5 sum whitelisting
|
||||||
|
-------------
|
||||||
|
You can automatically add md5sum from wordpress core files by specifing version as argument to --wordpress-version or -j.
|
||||||
|
Example:
|
||||||
|
```
|
||||||
|
scan -d . -j 4.9.2
|
||||||
|
```
|
||||||
|
That will automatically get md5sums from wordpress api (https://api.wordpress.org/core/checksums/1.0/?version=x.x.x) and add it to whitelist. To check your version simply check wp-includes/version.php file of your wordpress
|
||||||
|
|
||||||
Tools
|
Tools
|
||||||
-----
|
-----
|
||||||
|
|
||||||
|
|||||||
64
scan.php
64
scan.php
@@ -178,12 +178,28 @@ class MalwareScanner
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private function addWordpressChecksums($wp_version) {
|
||||||
|
$apiurl = 'https://api.wordpress.org/core/checksums/1.0/?version=' . $wp_version;
|
||||||
|
$json = json_decode ( file_get_contents ( $apiurl ) );
|
||||||
|
$checksums = $json->checksums;
|
||||||
|
|
||||||
|
if ($checksums->$wp_version == false) { #no checksum returned
|
||||||
|
$this->error('Cannot load wordpress checksums from: '.$apiurl);
|
||||||
|
exit(-1);
|
||||||
|
}
|
||||||
|
|
||||||
|
foreach( $checksums->$wp_version as $file => $checksum ) {
|
||||||
|
$this->whitelist[] = $checksum;
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
//Handles the getopt() function call, sets attributes according to flags.
|
//Handles the getopt() function call, sets attributes according to flags.
|
||||||
//All flag handling stuff should be setup here.
|
//All flag handling stuff should be setup here.
|
||||||
private function parseArgs()
|
private function parseArgs()
|
||||||
{
|
{
|
||||||
$options = getopt(
|
$options = getopt(
|
||||||
'd:e:i:o:abmcxlhkwnsptL',
|
'd:e:i:o:abmcxlhkwnsptLj:',
|
||||||
array(
|
array(
|
||||||
'directory:',
|
'directory:',
|
||||||
'extension:',
|
'extension:',
|
||||||
@@ -202,7 +218,8 @@ class MalwareScanner
|
|||||||
'pattern',
|
'pattern',
|
||||||
'time',
|
'time',
|
||||||
'line-number',
|
'line-number',
|
||||||
'output-format:'
|
'output-format:',
|
||||||
|
'wordpress-version:'
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
|
||||||
@@ -271,10 +288,15 @@ class MalwareScanner
|
|||||||
if (isset($options['line-number']) || isset($options['L'])) {
|
if (isset($options['line-number']) || isset($options['L'])) {
|
||||||
$this->setFlagLineNumber(true);
|
$this->setFlagLineNumber(true);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (isset($options['output-format']) || isset($options['o'])) {
|
if (isset($options['output-format']) || isset($options['o'])) {
|
||||||
$tmp = isset($options['output-format']) ? $options['output-format'] : $options['o'];
|
$tmp = isset($options['output-format']) ? $options['output-format'] : $options['o'];
|
||||||
$this->setOutputFormat(is_array($tmp) ? $tmp : array($tmp));
|
$this->setOutputFormat(is_array($tmp) ? $tmp : array($tmp));
|
||||||
}
|
}
|
||||||
|
if (isset($options['wordpress-version']) || isset($options['j'])) {
|
||||||
|
$tmp = isset($options['wordpress-version']) ? $options['wordpress-version'] : $options['j'];
|
||||||
|
$this->addWordpressChecksums($tmp);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public function setExtensions(array $a)
|
public function setExtensions(array $a)
|
||||||
@@ -647,24 +669,26 @@ class MalwareScanner
|
|||||||
private function showHelp()
|
private function showHelp()
|
||||||
{
|
{
|
||||||
echo 'Usage: php scan.php -d <directory>' . PHP_EOL;
|
echo 'Usage: php scan.php -d <directory>' . PHP_EOL;
|
||||||
echo ' -h --help Show this help message' . PHP_EOL;
|
echo ' -h --help Show this help message' . PHP_EOL;
|
||||||
echo ' -d <directory> --directory Directory for searching' . PHP_EOL;
|
echo ' -d <directory> --directory Directory for searching' . PHP_EOL;
|
||||||
echo ' -e <file extension> --extension File Extension to Scan, can be used multiple times' . PHP_EOL;
|
echo ' -e <file extension> --extension File Extension to Scan, can be used multiple times' . PHP_EOL;
|
||||||
echo ' -i <directory|file> --ignore Directory of file to ignore' . PHP_EOL;
|
echo ' -i <directory|file> --ignore Directory of file to ignore' . PHP_EOL;
|
||||||
echo ' -a --all-output Enables --checksum,--comment,--pattern,--time' . PHP_EOL;
|
echo ' -a --all-output Enables --checksum,--comment,--pattern,--time' . PHP_EOL;
|
||||||
echo ' -b --base64 Scan for base64 encoded PHP keywords' . PHP_EOL;
|
echo ' -b --base64 Scan for base64 encoded PHP keywords' . PHP_EOL;
|
||||||
echo ' -m --checksum Display MD5 Hash/Checksum of file' . PHP_EOL;
|
echo ' -m --checksum Display MD5 Hash/Checksum of file' . PHP_EOL;
|
||||||
echo ' -c --comment Display comments for matched patterns' . PHP_EOL;
|
echo ' -c --comment Display comments for matched patterns' . PHP_EOL;
|
||||||
echo ' -x --extra-check Adds GoogleBot and htaccess to Scan List' . PHP_EOL;
|
echo ' -x --extra-check Adds GoogleBot and htaccess to Scan List' . PHP_EOL;
|
||||||
echo ' -l --follow-symlink Follow symlinked directories' . PHP_EOL;
|
echo ' -l --follow-symlink Follow symlinked directories' . PHP_EOL;
|
||||||
echo ' -k --hide-ok Hide results with \'OK\' status' . PHP_EOL;
|
echo ' -k --hide-ok Hide results with \'OK\' status' . PHP_EOL;
|
||||||
echo ' -w --hide-whitelist Hide results with \'WL\' status' . PHP_EOL;
|
echo ' -w --hide-whitelist Hide results with \'WL\' status' . PHP_EOL;
|
||||||
echo ' -n --no-color Disable color mode' . PHP_EOL;
|
echo ' -n --no-color Disable color mode' . PHP_EOL;
|
||||||
echo ' -s --no-stop Continue scanning file after first hit' . PHP_EOL;
|
echo ' -s --no-stop Continue scanning file after first hit' . PHP_EOL;
|
||||||
echo ' -p --pattern Show Patterns next to the file name' . PHP_EOL;
|
echo ' -p --pattern Show Patterns next to the file name' . PHP_EOL;
|
||||||
echo ' -t --time Show time of last file change' . PHP_EOL;
|
echo ' -t --time Show time of last file change' . PHP_EOL;
|
||||||
echo ' -L --line-number Display matching pattern line number in file' . PHP_EOL;
|
echo ' -L --line-number Display matching pattern line number in file' . PHP_EOL;
|
||||||
echo ' -o --output-format Custom defined output format' . PHP_EOL;
|
echo ' -o --output-format Custom defined output format' . PHP_EOL;
|
||||||
|
echo ' -j --wordpress-version Version of wordpress to get md5 signatures' . PHP_EOL;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user