External/php-malware-scanner
1
0
Fork 0
mirror of https://github.com/scr34m/php-malware-scanner.git synced 2026-06-16 12:30:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added Extra Patterns for Scanning.

Browse Source 
Added Extra Patterns for scanning from samples i found on my server.
Added extra-check it checks for googlebot and htaccess useful for cleaning up left over files.
This commit is contained in:
screwloose83
2016-12-10 22:20:57 +11:00
committed by Győrvári Gábor
parent 4f41362a46
commit d12f5982b2
1 changed files with 36 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
scan.php
View File

@@ -26,6 +26,7 @@ class MalwareScanner
private $extension = '.php'; private $extension = '.php';
private $flagHideOk = false; private $flagHideOk = false;
private $flagHideWhitelist = false; private $flagHideWhitelist = false;
private $ExtraCheck = false;
private $whitelist = array(); private $whitelist = array();
private $stat = array( private $stat = array(
'directories' => 0, 'directories' => 0,
@@ -35,7 +36,7 @@ class MalwareScanner
public function __construct() public function __construct()
{ {
$options = getopt('hd:e::', array('hide-ok', 'hide-whitelist')); $options = getopt('hd:e::', array('hide-ok', 'hide-whitelist', 'extra-check'));
if (isset($options['h'])) { if (isset($options['h'])) {
$this->showHelp(); $this->showHelp();
} else { } else {
@@ -52,6 +53,9 @@ class MalwareScanner
if (isset($options['hide-whitelist'])) { if (isset($options['hide-whitelist'])) {
$this->flagHideWhitelist = true; $this->flagHideWhitelist = true;
} }
if (isset($options['extra-check'])) {
$this->ExtraCheck = true;
}
if (isset($options['d'])) { if (isset($options['d'])) {
$this->run($options['d']); $this->run($options['d']);
} else { } else {
@@ -116,6 +120,7 @@ class MalwareScanner
private function report($start, $dir) private function report($start, $dir)
{ {
date_default_timezone_set('Australia/Melbourne');
$end = time(); $end = time();
echo 'Start time: ' . strftime('%Y-%m-%d %H:%M:%S', $start) . PHP_EOL; echo 'Start time: ' . strftime('%Y-%m-%d %H:%M:%S', $start) . PHP_EOL;
echo 'End time: ' . strftime('%Y-%m-%d %H:%M:%S', $end) . PHP_EOL; echo 'End time: ' . strftime('%Y-%m-%d %H:%M:%S', $end) . PHP_EOL;
@@ -132,7 +137,8 @@ class MalwareScanner
$fileContent = file_get_contents($path); $fileContent = file_get_contents($path);
$found = false; $found = false;
//$ExtraCheck = true;
// check against simple text matches // check against simple text matches
$patterns = array( $patterns = array(
'uname -a', 'uname -a',
@@ -172,9 +178,36 @@ class MalwareScanner
/* too open? */ /* too open? */
// 'gzinflate(base64_decode(', // 'gzinflate(base64_decode(',
'md5($_GET[', // md5($_GET["ms-load"]) 'md5($_GET[', // md5($_GET["ms-load"])
'sendMail',
'echo "ok-ok"',
'/ShellBOT/i',
'/YW55cmVzdWx0cy5uZXQ=/i',
'/eval\s*\(/i',
'/base64_decode\s*\(/i',
'/str_rot13/i',
'/uudecode/i',
'/preg_replace',
'bgeteam',
'DisablePHP=',
'=urldecode',
'moban.html',
'<?php eval',
'$data = base64_decode("',
'a,b,c,d,e,f,g',
' freetellafriend.com',
'SHELL_PASSWORD',
'curl_get_from_webpage',
'base=base64_encode',
'@x0powo',
'@preg_replace',
'1@1.com',
'META http-equiv="refresh" content="0;',
'="create_";global' '="create_";global'
); );
if ($this->ExtraCheck) {
array_push($patterns, "googleBot", "htaccess");
}
foreach ($patterns as $toSearch) { foreach ($patterns as $toSearch) {
$substrCount = substr_count($fileContent, $toSearch); $substrCount = substr_count($fileContent, $toSearch);
if ($substrCount > 0) { if ($substrCount > 0) {
@@ -253,6 +286,7 @@ class MalwareScanner
echo ' -e=.php Extension' . PHP_EOL; echo ' -e=.php Extension' . PHP_EOL;
echo ' --hide-ok Hide OK aka not infected messages' . PHP_EOL; echo ' --hide-ok Hide OK aka not infected messages' . PHP_EOL;
echo ' --hide-whitelist Hide whitelisted messages' . PHP_EOL; echo ' --hide-whitelist Hide whitelisted messages' . PHP_EOL;
echo ' --extra-check Adds GoogleBot and htaccess to Scan List.' . PHP_EOL;
} }
} }