External/php-malware-scanner
1
0
Fork 0
mirror of https://github.com/scr34m/php-malware-scanner.git synced 2026-06-16 12:30:35 +00:00
Code Issues Packages Projects Releases Wiki Activity
74 Commits 2 Branches 32 Tags
dc60cea1927c3532d35855c34073eff16c1d5cc1
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
nichogenius dc60cea192 Bug Fixes, added time/checksum flags, organized 
--Fixed a bug with the out function.  Previous updates of mine did not update all calls to the out function which I changed the parameters for.  Fixed this by replacing the out function with an 'error' function.
--Alphabetized function definitions and did some general tidying up
--Made all functions private except the constructor.
--Created parseArgs function to handle reading in options.
--Fixed a bug with 'extra-check' where htaccess and googleBot were being pushed to the pattern array each time a file was scanned. 
 This bug was created when I moved the pattern initialize code to the constructor.  Moved extra-check code with the rest of the initialize pattern calls.
--Added -no-color, -time, and -checksum flags.  I'd prefer if the output was only as spammy as the user requests.  Time should be helpful in tracing when the attack occurred and if files are related to the same hack.  Time and checksum do not display by default.  no-color flag makes it easier to dump to plain text files.
2017-08-19 12:57:49 -06:00
b64p.py
this is not a bug... just fixing a bad bug fix
2017-07-28 06:33:07 -06:00
LICENSE.txt
Fix LICENSE file
2017-02-22 13:58:07 +01:00
patterns_iraw.txt
obfuscat is too common, causes fp's
2017-07-28 03:16:19 -06:00
patterns_raw.txt
FilesMan Needs to be a regex
2017-08-16 00:55:15 -06:00
patterns_re.txt
Raised Long PHP line Limit
2017-08-16 00:26:16 -06:00
php_functions.txt
Renamed to match naming conventionsi
2017-07-31 12:35:01 -06:00
php_keywords.txt
Copied comments from php_functions.php
2017-07-31 12:38:27 -06:00
README.md
Separate patterns from code
2017-02-22 13:56:09 +01:00
scan.php
Bug Fixes, added time/checksum flags, organized
2017-08-19 12:57:49 -06:00
whitelist.txt
Two-key sorting is better
2017-07-25 23:50:42 -06:00

README.md

PHP malware scanner

Traversing directories for files with php extensions and testing files against text or regexp rules, the rules based on self gathered samples and publicly vailable malwares/webshells. The goal is to find infected files and fight against kiddies, because to easy to bypass rules.

How to use?

$ php ./scan.php -h
Usage scan.php -d <directory> [-i=<directory|file>] [-e=.php] [--hide-ok] [--hide-whitelist]
    -d                    Directory for searching
    -e=.php               Extension
    -i=<directory|file>   Directory of file to igonre
    --hide-ok             Hide OK aka not infected messages
    --hide-whitelist      Hide whitelisted messages
    --extra-check         Adds GoogleBot and htaccess to Scan List
    --follow-symlink      Follow symlinked directories

Ignore argument could be used multiple times and accept glob style matching ex.: "cache*", "??-cache.php" or "/cache" etc.

Patterns

There are two different pattern source, each line in these files is a patter so patterns_raw.txt lines searched as-is, patterns_re.txt used with preg_match function.

Whitelisting

See whitelist.txt file for a predefined MD5 hash list. Only the first 32 characters are used, rest of the line ignored so feel free to leave a comment.

Resources

Licensing

PHP malware scanner is licensed under the GNU General Public License v3.

Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
command-line-toolmalwarephpscanner
Readme 20 MiB
Languages
PHP 95%
Python 4.4%
Dockerfile 0.6%