mirror of
https://github.com/scr34m/php-malware-scanner.git
synced 2026-06-16 12:30:35 +00:00
Added Extra Patterns for Scanning.
Added Extra Patterns for scanning from samples i found on my server. Added extra-check it checks for googlebot and htaccess useful for cleaning up left over files.
This commit is contained in:
screwloose83
committed by
Győrvári Gábor
Győrvári Gábor
parent
4f41362a46
commit
d12f5982b2
38
scan.php
38
scan.php
@@ -26,6 +26,7 @@ class MalwareScanner
|
||||
private $extension = '.php';
|
||||
private $flagHideOk = false;
|
||||
private $flagHideWhitelist = false;
|
||||
private $ExtraCheck = false;
|
||||
private $whitelist = array();
|
||||
private $stat = array(
|
||||
'directories' => 0,
|
||||
@@ -35,7 +36,7 @@ class MalwareScanner
|
||||
|
||||
public function __construct()
|
||||
{
|
||||
$options = getopt('hd:e::', array('hide-ok', 'hide-whitelist'));
|
||||
$options = getopt('hd:e::', array('hide-ok', 'hide-whitelist', 'extra-check'));
|
||||
if (isset($options['h'])) {
|
||||
$this->showHelp();
|
||||
} else {
|
||||
@@ -52,6 +53,9 @@ class MalwareScanner
|
||||
if (isset($options['hide-whitelist'])) {
|
||||
$this->flagHideWhitelist = true;
|
||||
}
|
||||
if (isset($options['extra-check'])) {
|
||||
$this->ExtraCheck = true;
|
||||
}
|
||||
if (isset($options['d'])) {
|
||||
$this->run($options['d']);
|
||||
} else {
|
||||
@@ -116,6 +120,7 @@ class MalwareScanner
|
||||
|
||||
private function report($start, $dir)
|
||||
{
|
||||
date_default_timezone_set('Australia/Melbourne');
|
||||
$end = time();
|
||||
echo 'Start time: ' . strftime('%Y-%m-%d %H:%M:%S', $start) . PHP_EOL;
|
||||
echo 'End time: ' . strftime('%Y-%m-%d %H:%M:%S', $end) . PHP_EOL;
|
||||
@@ -132,7 +137,8 @@ class MalwareScanner
|
||||
|
||||
$fileContent = file_get_contents($path);
|
||||
$found = false;
|
||||
|
||||
//$ExtraCheck = true;
|
||||
|
||||
// check against simple text matches
|
||||
$patterns = array(
|
||||
'uname -a',
|
||||
@@ -172,9 +178,36 @@ class MalwareScanner
|
||||
/* too open? */
|
||||
// 'gzinflate(base64_decode(',
|
||||
'md5($_GET[', // md5($_GET["ms-load"])
|
||||
'sendMail',
|
||||
'echo "ok-ok"',
|
||||
'/ShellBOT/i',
|
||||
'/YW55cmVzdWx0cy5uZXQ=/i',
|
||||
'/eval\s*\(/i',
|
||||
'/base64_decode\s*\(/i',
|
||||
'/str_rot13/i',
|
||||
'/uudecode/i',
|
||||
'/preg_replace',
|
||||
'bgeteam',
|
||||
'DisablePHP=',
|
||||
'=urldecode',
|
||||
'moban.html',
|
||||
'<?php eval',
|
||||
'$data = base64_decode("',
|
||||
|
||||
'a,b,c,d,e,f,g',
|
||||
' freetellafriend.com',
|
||||
'SHELL_PASSWORD',
|
||||
'curl_get_from_webpage',
|
||||
'base=base64_encode',
|
||||
'@x0powo',
|
||||
'@preg_replace',
|
||||
'1@1.com',
|
||||
'META http-equiv="refresh" content="0;',
|
||||
'="create_";global'
|
||||
);
|
||||
if ($this->ExtraCheck) {
|
||||
array_push($patterns, "googleBot", "htaccess");
|
||||
}
|
||||
foreach ($patterns as $toSearch) {
|
||||
$substrCount = substr_count($fileContent, $toSearch);
|
||||
if ($substrCount > 0) {
|
||||
@@ -253,6 +286,7 @@ class MalwareScanner
|
||||
echo ' -e=.php Extension' . PHP_EOL;
|
||||
echo ' --hide-ok Hide OK aka not infected messages' . PHP_EOL;
|
||||
echo ' --hide-whitelist Hide whitelisted messages' . PHP_EOL;
|
||||
echo ' --extra-check Adds GoogleBot and htaccess to Scan List.' . PHP_EOL;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user