0e40b194e6
This file just contains a list of internal php 7 functions (probably incomplete depending on extensions etc) and their 3 base64 fingerprints. It is designed to be used as either a pattern file to explore potential patterns that may be effective, or simply as a reference to translate between plain text php and the 3 different base64 versions.
PHP malware scanner
Traversing directories for files with php extensions and testing files against text or regexp rules, the rules based on self gathered samples and publicly vailable malwares/webshells. The goal is to find infected files and fight against kiddies, because to easy to bypass rules.
How to use?
$ php ./scan.php -h
Usage scan.php -d <directory> [-i=<directory|file>] [-e=.php] [--hide-ok] [--hide-whitelist]
-d Directory for searching
-e=.php Extension
-i=<directory|file> Directory of file to igonre
--hide-ok Hide OK aka not infected messages
--hide-whitelist Hide whitelisted messages
--extra-check Adds GoogleBot and htaccess to Scan List
--follow-symlink Follow symlinked directories
Ignore argument could be used multiple times and accept glob style matching ex.: "cache*", "??-cache.php" or "/cache" etc.
Patterns
There are two different pattern source, each line in these files is a patter so patterns_raw.txt lines searched as-is, patterns_re.txt used with preg_match function.
Whitelisting
See whitelist.txt file for a predefined MD5 hash list. Only the first 32 characters are used, rest of the line ignored so feel free to leave a comment.
Resources
- PHPScanner
- PMF - PHP Malware Finder
- check regexp online
- malware samples 1
- malware samples 2
- malware samples 3
- malware samples 4
Licensing
PHP malware scanner is licensed under the GNU General Public License v3.