External/php-malware-scanner
1
0
Fork 0
mirror of https://github.com/scr34m/php-malware-scanner.git synced 2026-06-16 12:30:35 +00:00
Code Issues Packages Projects Releases Wiki Activity
89 Commits 2 Branches 32 Tags
d54833f44d053cae287a0f780ec5834ac4cfa415
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
nichogenius d54833f44d Moved to base64_patterns folder 
Moved to base64_patterns folder
2017-08-20 13:20:46 -06:00
base64_patterns
Moved to base64_patterns folder
2017-08-20 13:20:46 -06:00
tools
Moving into subdirectory 'tools' + renamed
2017-08-20 13:17:24 -06:00
LICENSE.txt
Fix LICENSE file
2017-02-22 13:58:07 +01:00
patterns_iraw.txt
obfuscat is too common, causes fp's
2017-07-28 03:16:19 -06:00
patterns_raw.txt
added b64 pattern for 'require'
2017-08-19 17:05:23 -06:00
patterns_re.txt
Added comment lines for each regex
2017-08-19 17:24:04 -06:00
README.md
Updated with new Usage Information
2017-08-20 13:10:34 -06:00
scan.php
2 typos = 1 fixed bug
2017-08-19 22:29:23 -06:00
whitelist.txt
Two-key sorting is better
2017-07-25 23:50:42 -06:00

README.md

PHP malware scanner

Traversing directories for files with php extensions and testing files against text or regexp rules, the rules based on self gathered samples and publicly vailable malwares/webshells. The goal is to find infected files and fight against kiddies, because to easy to bypass rules.

How to use?

Usage: php scan.php -d <directory>
    -h                   --help             Show this help message
    -d <directory>       --directory        Directory for searching
    -e <file extension>  --extension        File Extension to Scan
    -i <directory|file>  --ignore           Directory of file to ignore
    -a                   --all-output       Enables --checksum,--comment,--pattern,--time
    -b                   --base64           Scan for base64 encoded PHP keywords
    -m                   --checksum         Display MD5 Hash/Checksum of file
    -c                   --comment          Display comments for matched patterns
    -x                   --extra-check      Adds GoogleBot and htaccess to Scan List
    -l                   --follow-symlink   Follow symlinked directories
    -k                   --hide-ok          Hide results with 'OK' status
    -w                   --hide-whitelist   Hide results with 'WL' status
    -n                   --no-color         Disable color mode
    -s                   --no-stop          Continue scanning file after first hit
    -p                   --pattern          Show Patterns next to the file name
    -t                   --time             Show time of last file change

Ignore argument could be used multiple times and accept glob style matching ex.: "cache*", "??-cache.php" or "/cache" etc.

Patterns

There are two different pattern source, each line in these files is a patter so patterns_raw.txt lines searched as-is, patterns_re.txt used with preg_match function.

Whitelisting

See whitelist.txt file for a predefined MD5 hash list. Only the first 32 characters are used, rest of the line ignored so feel free to leave a comment.

Resources

Licensing

PHP malware scanner is licensed under the GNU General Public License v3.

Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
command-line-toolmalwarephpscanner
Readme 20 MiB
Languages
PHP 95%
Python 4.4%
Dockerfile 0.6%