External/php-malware-scanner
1
0
Fork 0
mirror of https://github.com/scr34m/php-malware-scanner.git synced 2026-06-16 12:30:35 +00:00
Code Issues Packages Projects Releases Wiki Activity
67 Commits 2 Branches 32 Tags
62e25eb5f89e4013db0506140a0e0f262458680f
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
nichogenius 62e25eb5f8 Several Significant changes to scan.php 
- Gave each flag option a short or long option; like i:ignore or d:directory or k:hide-ok
- Added a verbose option that instructs the scan to scan a file for ALL matches and not just stop at the first one.
- Restructured the output code to allow for the verbose flag, mainly a new function printPath and where the md5 hash is computed
- Modified the output to be cleaner, checksum is printed first as it is fix-width and to make it easier to paste into the whitelist file.
- Modified the output to be 'bash safe', ie when I accidentally paste my scan results into my terminal, the '#' should make sure everything is treated as a comment.  This is in contrast to possibly attempting to execute absolute paths to potentially malicious PHP scripts and the usage of the '>' which tells the shell to write to a file.  Also enclosed each path in {} for similar purposes.
- Printing the matched string/pattern in $color... might change later depending on  preference.
2017-08-16 00:11:54 -06:00
b64p.py
this is not a bug... just fixing a bad bug fix
2017-07-28 06:33:07 -06:00
LICENSE.txt
Fix LICENSE file
2017-02-22 13:58:07 +01:00
patterns_iraw.txt
obfuscat is too common, causes fp's
2017-07-28 03:16:19 -06:00
patterns_raw.txt
Added New Malware Signatures/Fingerprints
2017-08-15 23:58:49 -06:00
patterns_re.txt
Added long single line PHP code pattern
2017-08-15 12:03:19 -06:00
php_functions.txt
Renamed to match naming conventionsi
2017-07-31 12:35:01 -06:00
php_keywords.txt
Copied comments from php_functions.php
2017-07-31 12:38:27 -06:00
README.md
Separate patterns from code
2017-02-22 13:56:09 +01:00
scan.php
Several Significant changes to scan.php
2017-08-16 00:11:54 -06:00
whitelist.txt
Two-key sorting is better
2017-07-25 23:50:42 -06:00

README.md

PHP malware scanner

Traversing directories for files with php extensions and testing files against text or regexp rules, the rules based on self gathered samples and publicly vailable malwares/webshells. The goal is to find infected files and fight against kiddies, because to easy to bypass rules.

How to use?

$ php ./scan.php -h
Usage scan.php -d <directory> [-i=<directory|file>] [-e=.php] [--hide-ok] [--hide-whitelist]
    -d                    Directory for searching
    -e=.php               Extension
    -i=<directory|file>   Directory of file to igonre
    --hide-ok             Hide OK aka not infected messages
    --hide-whitelist      Hide whitelisted messages
    --extra-check         Adds GoogleBot and htaccess to Scan List
    --follow-symlink      Follow symlinked directories

Ignore argument could be used multiple times and accept glob style matching ex.: "cache*", "??-cache.php" or "/cache" etc.

Patterns

There are two different pattern source, each line in these files is a patter so patterns_raw.txt lines searched as-is, patterns_re.txt used with preg_match function.

Whitelisting

See whitelist.txt file for a predefined MD5 hash list. Only the first 32 characters are used, rest of the line ignored so feel free to leave a comment.

Resources

Licensing

PHP malware scanner is licensed under the GNU General Public License v3.

Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
command-line-toolmalwarephpscanner
Readme 20 MiB
Languages
PHP 95%
Python 4.4%
Dockerfile 0.6%