External/php-malware-scanner
1
0
Fork 0
mirror of https://github.com/scr34m/php-malware-scanner.git synced 2026-06-16 12:30:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: External:1.0.8
Branches Tags
External:master External:gh-pages
External:1.0.31 External:1.0.30 External:1.0.29 External:1.0.28 External:1.0.27 External:1.0.26 External:1.0.25 External:1.0.24 External:1.0.23 External:1.0.22 External:1.0.21 External:1.0.20 External:1.0.19 External:1.0.18 External:1.0.17 External:1.0.16 External:1.0.15 External:1.0.14 External:1.0.13 External:1.0.12 External:1.0.11 External:1.0.10 External:1.0.9 External:1.0.8 External:1.0.7 External:1.0.6 External:1.0.5 External:1.0.4 External:1.0.3 External:1.0.2 External:1.0.1 External:1.0.0
..
compare: External:1.0.11
Branches Tags
External:master External:gh-pages
External:1.0.31 External:1.0.30 External:1.0.29 External:1.0.28 External:1.0.27 External:1.0.26 External:1.0.25 External:1.0.24 External:1.0.23 External:1.0.22 External:1.0.21 External:1.0.20 External:1.0.19 External:1.0.18 External:1.0.17 External:1.0.16 External:1.0.15 External:1.0.14 External:1.0.13 External:1.0.12 External:1.0.11 External:1.0.10 External:1.0.9 External:1.0.8 External:1.0.7 External:1.0.6 External:1.0.5 External:1.0.4 External:1.0.3 External:1.0.2 External:1.0.1 External:1.0.0

7 Commits
1.0.8 ... 1.0.11

Author SHA1 Message Date
Gabor Gyorvari
34ea02323b New flag to specify custom white list file 2021-04-01 12:44:15 +02:00
Gabor Gyorvari
b74494a4f1 base64 sample for "file" too short and causes false positive 2021-02-26 13:27:58 +01:00
Gabor Gyorvari
9624ec4403 README update with new -r flag 2021-02-24 16:47:13 +01:00
Győrvári Gábor
335b13b7c4 Merge pull request #67 from mitchobrian/master 
Feature flagHideErr #66
 2021-02-24 16:45:34 +01:00
Michael Palmer
78bee49176 https://github.com/scr34m/php-malware-scanner/issues/66 2021-02-24 13:36:10 +01:00
Győrvári Gábor
cc0fdc7a9f Merge pull request #63 from aldavigdis/patch-1 
Adding definitions based on recent code injection
 2020-11-17 08:07:52 +01:00
Alda Vigdis Skarphedinsdottir
ec8f9920ba Adding definitions based on recent code injection 2020-11-17 04:06:03 +01:00
3 changed files with 51 additions and 18 deletions
Expand all files Collapse all files

2
README.md
View File

@@ -26,6 +26,7 @@ Usage: php scan.php -d <directory>
-x --extra-check Adds GoogleBot and htaccess to Scan List -x --extra-check Adds GoogleBot and htaccess to Scan List
-l --follow-symlink Follow symlinked directories -l --follow-symlink Follow symlinked directories
-k --hide-ok Hide results with 'OK' status -k --hide-ok Hide results with 'OK' status
-r --hide-err Hide results with 'ER' status
-w --hide-whitelist Hide results with 'WL' status -w --hide-whitelist Hide results with 'WL' status
-n --no-color Disable color mode -n --no-color Disable color mode
-s --no-stop Continue scanning file after first hit -s --no-stop Continue scanning file after first hit
@@ -35,6 +36,7 @@ Usage: php scan.php -d <directory>
-o --output-format Custom defined output format -o --output-format Custom defined output format
-j --wordpress-version Version of wordpress to get md5 signatures -j --wordpress-version Version of wordpress to get md5 signatures
--combined-whitelist Combined whitelist --combined-whitelist Combined whitelist
--custom-whitelist Loads whitelist from specified file and merge with existing
--disable-stats Disable statistics output --disable-stats Disable statistics output
``` ```

9
definitions/patterns_raw.txt
View File

@@ -108,11 +108,6 @@ SFRUUF9VU0VSX0FHRU5U
hUVFBfVVNFUl9BR0VOV hUVFBfVVNFUl9BR0VOV
IVFRQX1VTRVJfQUdFTl IVFRQX1VTRVJfQUdFTl
# "file" in base64
ZmlsZ
ZpbG
maWxl
# "gzinflate" in base64 # "gzinflate" in base64
Z3ppbmZsYXRl Z3ppbmZsYXRl
d6aW5mbGF0Z d6aW5mbGF0Z
@@ -201,6 +196,7 @@ eval(base64_decode(
$data = base64_decode(" $data = base64_decode("
edoced_46esab edoced_46esab
base=base64_encode base=base64_encode
'b'.'ase6'.'4_e'.'ncode'
cr"."eat"."e_fun"."cti"."on cr"."eat"."e_fun"."cti"."on
gz'.'inf'.'late gz'.'inf'.'late
# fopo.com.ar - free online php obfuscator. It conveniently leaves comments in the code. # fopo.com.ar - free online php obfuscator. It conveniently leaves comments in the code.
@@ -260,6 +256,9 @@ itsoknoproblembro
tmhapbzcerff tmhapbzcerff
IndoXploit IndoXploit
FaisaL Ahmed aka rEd X FaisaL Ahmed aka rEd X
smisbot
smotherbot
Indonesian Hacker Rulez
# WP-VCD Malware https://www.getastra.com/blog/911/how-to-fix-wp-vcd-backdoor-hack-in-wordpress-functions-php/ # WP-VCD Malware https://www.getastra.com/blog/911/how-to-fix-wp-vcd-backdoor-hack-in-wordpress-functions-php/
wp-vcd wp-vcd

52
scan.php
View File

@@ -31,6 +31,7 @@ class MalwareScanner
private $flagChecksum = false; private $flagChecksum = false;
private $flagComments = false; private $flagComments = false;
private $flagHideOk = false; private $flagHideOk = false;
private $flagHideErr = false;
private $flagHideWhitelist = false; private $flagHideWhitelist = false;
private $flagNoStop = false; private $flagNoStop = false;
private $flagPattern = false; private $flagPattern = false;
@@ -41,6 +42,7 @@ class MalwareScanner
private $flagScanEverything = false; private $flagScanEverything = false;
private $flagCombinedWhitelist = false; private $flagCombinedWhitelist = false;
private $flagDisableStats = false; private $flagDisableStats = false;
private $customWhitelist = array();
private $outputFormat = ''; private $outputFormat = '';
private $whitelist = array(); private $whitelist = array();
private $ignore = array(); private $ignore = array();
@@ -190,16 +192,21 @@ class MalwareScanner
return $list; return $list;
} }
//Loads the whitelist file /**
public function loadWhitelist() * Loads the whitelist files
*/
public function loadWhitelists()
{ {
if (!is_file(__DIR__ . '/whitelist.txt')) { $a = array_merge([__DIR__ . '/whitelist.txt'], $this->customWhitelist);
return; foreach ($a as $file) {
} if (is_file($file)) {
$fp = fopen(__DIR__ . '/whitelist.txt', 'r'); $fp = fopen($file, 'r');
while (!feof($fp)) { while (!feof($fp)) {
$line = fgets($fp); $line = fgets($fp);
$this->whitelist[] = substr($line, 0, 32); $this->whitelist[] = substr($line, 0, 32);
}
fclose($fp);
}
} }
} }
@@ -247,6 +254,7 @@ class MalwareScanner
'wordpress-version:', 'wordpress-version:',
'scan-everything', 'scan-everything',
'combined-whitelist', 'combined-whitelist',
'custom-whitelist:',
'disable-stats' 'disable-stats'
) )
); );
@@ -298,6 +306,9 @@ class MalwareScanner
if (isset($options['hide-ok']) || isset($options['k'])) { if (isset($options['hide-ok']) || isset($options['k'])) {
$this->setFlagHideOk(true); $this->setFlagHideOk(true);
} }
if (isset($options['hide-err']) || isset($options['r'])) {
$this->setFlagHideErr(true);
}
if (isset($options['hide-whitelist']) || isset($options['w'])) { if (isset($options['hide-whitelist']) || isset($options['w'])) {
$this->setFlagHideWhitelist(true); $this->setFlagHideWhitelist(true);
} }
@@ -330,6 +341,13 @@ class MalwareScanner
if (isset($options['combined-whitelist'])) { if (isset($options['combined-whitelist'])) {
$this->setFlagCombinedWhitelist(true); $this->setFlagCombinedWhitelist(true);
} }
if (isset($options['custom-whitelist'])) {
$a = $options['custom-whitelist'];
if (!is_array($a)) {
$a = array($a);
}
$this->setCustomWhitelist(array_unique($a));
}
if (isset($options['disable-stats'])) { if (isset($options['disable-stats'])) {
$this->setFlagDisableStats(true); $this->setFlagDisableStats(true);
} }
@@ -396,6 +414,11 @@ class MalwareScanner
$this->flagHideOk = $b; $this->flagHideOk = $b;
} }
public function setFlagHideErr($b)
{
$this->flagHideErr = $b;
}
public function setFlagHideWhitelist($b) public function setFlagHideWhitelist($b)
{ {
$this->flagHideWhitelist = $b; $this->flagHideWhitelist = $b;
@@ -426,6 +449,11 @@ class MalwareScanner
$this->flagDisableStats = $b; $this->flagDisableStats = $b;
} }
public function setCustomWhitelist($a)
{
$this->customWhitelist = $a;
}
// @see http://stackoverflow.com/a/13914119 // @see http://stackoverflow.com/a/13914119
private function pathMatches($path, $pattern, $ignoreCase = false) private function pathMatches($path, $pattern, $ignoreCase = false)
{ {
@@ -490,6 +518,9 @@ class MalwareScanner
$state = 'WL'; $state = 'WL';
$state_color = $this->ANSI_YELLOW; $state_color = $this->ANSI_YELLOW;
} else { } else {
if ($this->flagHideErr) {
return;
}
$state = 'ER'; $state = 'ER';
$state_color = $this->ANSI_RED; $state_color = $this->ANSI_RED;
} }
@@ -614,7 +645,7 @@ class MalwareScanner
{ {
$this->initializePatterns(); $this->initializePatterns();
$this->loadWhitelist(); $this->loadWhitelists();
if ($this->flagCombinedWhitelist && !$this->updateCombinedWhitelist()) { if ($this->flagCombinedWhitelist && !$this->updateCombinedWhitelist()) {
return false; return false;
@@ -820,6 +851,7 @@ class MalwareScanner
echo ' -x --extra-check Adds GoogleBot and htaccess to Scan List' . PHP_EOL; echo ' -x --extra-check Adds GoogleBot and htaccess to Scan List' . PHP_EOL;
echo ' -l --follow-symlink Follow symlinked directories' . PHP_EOL; echo ' -l --follow-symlink Follow symlinked directories' . PHP_EOL;
echo ' -k --hide-ok Hide results with \'OK\' status' . PHP_EOL; echo ' -k --hide-ok Hide results with \'OK\' status' . PHP_EOL;
echo ' -r --hide-err Hide results with \'ER\' status' . PHP_EOL;
echo ' -w --hide-whitelist Hide results with \'WL\' status' . PHP_EOL; echo ' -w --hide-whitelist Hide results with \'WL\' status' . PHP_EOL;
echo ' -n --no-color Disable color mode' . PHP_EOL; echo ' -n --no-color Disable color mode' . PHP_EOL;
echo ' -s --no-stop Continue scanning file after first hit' . PHP_EOL; echo ' -s --no-stop Continue scanning file after first hit' . PHP_EOL;