External/php-malware-scanner
1
0
Fork 0
mirror of https://github.com/scr34m/php-malware-scanner.git synced 2026-06-16 12:30:35 +00:00
Code Issues Packages Projects Releases Wiki Activity
52 Commits 2 Branches 32 Tags
4014f414dc771b7cc9e3d04cea653ff5aa0c3271
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
nichogenius 4014f414dc This is how I generate base64 sample patterns. 
Example usage:

I want to see if a giant block of base64 code contains any references to the string 'base64'. 
The naive approach is to convert the string to it's base64 equivalent, YmFzZTY0.

There are two problems with this approach.  The first is that the string will be different depending on the position of the first character 'Y' in the input string.  Possible offents are 0 bits, 2 bits or 4 bits.  The above example only calculates the 0 bit offset.  There should be 3 separate base64 strings to look for.

The second problem is that base64 strings use a 6 bit encoding, so the characters don't align the same as 8 bit encoding.  This leads to character bleeding at the beginning and ends of a string where the string will change depending on its immediate context.  This script calculates the maximum constant string length that should be present.  Unfortunately it requires trimming characters which can often lead to very short strings.
2017-07-28 05:15:39 -06:00
b64p.py
This is how I generate base64 sample patterns.
2017-07-28 05:15:39 -06:00
LICENSE.txt
Fix LICENSE file
2017-02-22 13:58:07 +01:00
patterns_iraw.txt
obfuscat is too common, causes fp's
2017-07-28 03:16:19 -06:00
patterns_raw.txt
Added createfunction and gzinflate obfuscations
2017-07-28 03:25:10 -06:00
patterns_re.txt
Removed (chr\(\d+\)\.){4,}
2017-07-27 07:27:37 -06:00
php7_functions_in_b64.txt
Found a bug in my base64 converter
2017-07-28 04:51:18 -06:00
README.md
Separate patterns from code
2017-02-22 13:56:09 +01:00
scan.php
Added case-insensitive search logic
2017-07-26 05:17:53 -06:00
whitelist.txt
Two-key sorting is better
2017-07-25 23:50:42 -06:00

README.md

PHP malware scanner

Traversing directories for files with php extensions and testing files against text or regexp rules, the rules based on self gathered samples and publicly vailable malwares/webshells. The goal is to find infected files and fight against kiddies, because to easy to bypass rules.

How to use?

$ php ./scan.php -h
Usage scan.php -d <directory> [-i=<directory|file>] [-e=.php] [--hide-ok] [--hide-whitelist]
    -d                    Directory for searching
    -e=.php               Extension
    -i=<directory|file>   Directory of file to igonre
    --hide-ok             Hide OK aka not infected messages
    --hide-whitelist      Hide whitelisted messages
    --extra-check         Adds GoogleBot and htaccess to Scan List
    --follow-symlink      Follow symlinked directories

Ignore argument could be used multiple times and accept glob style matching ex.: "cache*", "??-cache.php" or "/cache" etc.

Patterns

There are two different pattern source, each line in these files is a patter so patterns_raw.txt lines searched as-is, patterns_re.txt used with preg_match function.

Whitelisting

See whitelist.txt file for a predefined MD5 hash list. Only the first 32 characters are used, rest of the line ignored so feel free to leave a comment.

Resources

Licensing

PHP malware scanner is licensed under the GNU General Public License v3.

Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
command-line-toolmalwarephpscanner
Readme 20 MiB
Languages
PHP 95%
Python 4.4%
Dockerfile 0.6%