Sample update from #94

Merge remote-tracking branch 'origin/master'
Sample update from #93
2026-06-16 12:30:35 +00:00 · 2025-06-09 20:28:26 +02:00 · 2025-05-15 17:55:32 +02:00 · 2025-05-15 17:55:25 +02:00 · 2024-12-05 06:44:14 +01:00 · 2024-12-04 23:41:36 +01:00
4 changed files with 72 additions and 0 deletions
--- a/15
+++ b/15
@@ -0,0 +1,15 @@
 FROM php:8.2-cli
 # Install dependencies
 RUN apt-get update && apt-get install -y \
    git \
    unzip \
    libzip-dev \
    && docker-php-ext-install zip
 WORKDIR /scanner
 COPY . .
 RUN chmod +x scan
 ENTRYPOINT ["./scan"]
 CMD ["/code"] 
--- a/README.md
+++ b/README.md
@@ -146,3 +146,37 @@ Licensing
 ---------
 PHP malware scanner is [licensed](https://github.com/scr34m/php-malware-scanner/blob/master/LICENSE.txt) under the GNU General Public License v3.
 Docker Usage
 -----------
 You can also run the scanner using Docker:
 1. Build the image:
 ```bash
 docker build -t php-malware-scanner .
 ```
 2. Scan a directory:
 ```bash
 docker run -v /path/to/scan:/code php-malware-scanner -d /code
 ```
 For example, to scan a WordPress installation:
 ```bash
 docker run -v /var/www/html:/code php-malware-scanner -d /code -j 6.4.1
 ```
 Common usage with flags:
 ```bash
 # Show only infected files (hide OK status)
 docker run -v /path/to/scan:/code php-malware-scanner -d /code -k
 # Show comments for matched patterns
 docker run -v /path/to/scan:/code php-malware-scanner -d /code -c
 # Show MD5 hashes and continue after first match
 docker run -v /path/to/scan:/code php-malware-scanner -d /code -m -s
 ```
 The `/code` directory inside the container is where your files will be mounted for scanning.
--- a/definitions/patterns_raw.txt
+++ b/definitions/patterns_raw.txt
@@ -22,6 +22,9 @@ SHELL_PASSWORD
 ConnectBackShell
 ShellBOT
 == "bindshell"
 ".\x00..\x20"
 FM_SESSION_ID
 HACKED BY
 #Remote Code
 curl_get_from_webpage
@@ -183,6 +186,7 @@ kZWZpbm
 # Obfuscation related code
 eval("?>
 eval('?>
@eval(
 "base64_decode"
 ='base'.(32*2).'_de'.'code'
 "p"."r"."e"."g"."_"
@@ -208,6 +212,12 @@ http://www.fopo.com.ar/
 ";eval(
 eval(eval(
@eval(`
 convert_uudecode(convert_uuencode
 "64_decode"
 'f' . 'il' . 'e' . '_'
 'co' . 'nt' . 'e' . 'nt'
 'h' . 'tm' . 'l' . 'sp'
 'ha' . 'r' . 's'
 #Malware/Attack specific strings/fingerprints/signatures
 MagelangCyber
@@ -266,6 +276,12 @@ smisbot
 smotherbot
 Indonesian Hacker Rulez
 pwetan.com
 iNHUMaN
 Heartzz
 Bye Bye Litespeed
 BunnyInvisible
 SEMOGABERKAH
 BUTERFLYCOUNTRY
 # WP-VCD Malware https://www.getastra.com/blog/911/how-to-fix-wp-vcd-backdoor-hack-in-wordpress-functions-php/
 wp-vcd
@@ -363,6 +379,7 @@ php_uname()
 str_split(rawurldecode(str_rot13(
 # generating PHP file name to put content
 substr(md5(time()), 0, 8) . ".php"
 'a:1:{s:13:\"administrator\";b:1;}'
 # webshell
 0byt3m1n1
--- a/definitions/patterns_re.txt
+++ b/definitions/patterns_re.txt
@@ -154,3 +154,9 @@ return @\$[a-z]{2}\d+\[\d+\]\(\$[a-z]{2}\d+\[\d+\],
 # htaccess alternating
 [a-z]{1}\([a-z]{1}\(\$[a-z]{2}\.'\/\.htaccess'\)
 # Javascript specific rules
 # JS - escaped command
 \.fromCharCode\([0-9,]{4,}\)
 \+-parseInt\(\w\('0x[0-9a-z]+'\)\)\/
Author	SHA1	Message	Date
Gabor Gyorvari	201ab77516	Sample update from #94	2025-06-09 20:28:26 +02:00
Gabor Gyorvari	46024eca5e	Merge remote-tracking branch 'origin/master'	2025-05-15 17:55:32 +02:00
Gabor Gyorvari	a31cc18dc5	Sample update from #93	2025-05-15 17:55:25 +02:00
Győrvári Gábor	96806c69e9	Merge pull request #92 from edward-rafalovsky/feature/add-docker-support Add Docker support with documentation	2024-12-05 06:44:14 +01:00
Edward Rafalovsky	42c2aad685	Add Docker support with documentation	2024-12-04 23:41:36 +01:00
Gabor Gyorvari	cad03dc3b4	Javascript sample update in #91	2024-07-08 17:55:38 +02:00