Malware analysis tools

PHP malware scanner v1.0.4 releases: Scans PHP files for malwares and known threats

PHP malware scanner

Traversing directories for files with php extensions and testing files against text or regexp rules, the rules-based on self-gathered samples and publicly available malwares/webshells. The goal is to find infected files and fight against kiddies, because too easy to bypass rules.

Changelog v1.0.4

  • Merge pull request #52 from cbotsikas/fix-php-support
  • Use array() instead of the short array syntax []

Download

git clone https://github.com/scr34m/php-malware-scanner.git

Use

Usage: php scan.php -d <directory>
    -h                   --help               Show this help message
    -d <directory>       --directory          Directory for searching
    -e <file extension>  --extension          File Extension to Scan
    -E                   --scan-everything    Scan all files, with or without extensions
    -i <directory|file>  --ignore             Directory of file to ignore
    -a                   --all-output         Enables --checksum,--comment,--pattern,--time
    -b                   --base64             Scan for base64 encoded PHP keywords
    -m                   --checksum           Display MD5 Hash/Checksum of file
    -c                   --comment            Display comments for matched patterns
    -x                   --extra-check        Adds GoogleBot and htaccess to Scan List
    -l                   --follow-symlink     Follow symlinked directories
    -k                   --hide-ok            Hide results with 'OK' status
    -w                   --hide-whitelist     Hide results with 'WL' status
    -n                   --no-color           Disable color mode
    -s                   --no-stop            Continue scanning file after first hit
    -p                   --pattern            Show Patterns next to the file name
    -t                   --time               Show time of last file change
    -L                   --line-number        Display matching pattern line number in file
    -o                   --output-format      Custom defined output format
    -j                   --wordpress-version  Version of wordpress to get md5 signatures
                         --combined-whitelist Combined whitelist

Ignore argument could be used multiple times and accept glob-style matching ex.: “cache*“, “??-cache.php” or “/cache” etc.

Extension argument defaults to “.php” and also can be used multiple times too.

  • --base64 is an alternative scan mode which ignores the main pattern files and uses a large list of php keywords and functions that have been converted to base64. Slower and prone to false positives, but gives additional base64 scanning coverage. These pattern files are located in base64_patterns and were derived from php 7 keywords and functions. Not many PHP extensions are included.
  • --comment flag will display the last comment to appear in the pattern file before the matched pattern, so documenting the pattern files is important.

Output formatting

Default output depending on the specified parameters, but the full format is “%S %T %M # {%F} %C %P # %L” and using ANSI coloring too.

Possible variables are:

  • %S – matching indicator, possible values are OK, ER, WL
  • %T – file change time
  • %M – file md5 hash value
  • %F – file with path
  • %P – pattern
  • %C – pattern comment
  • %L – matching pattern line number

Patterns

There are three main pattern files the cover different types of pattern matching. There is one pattern per line. All lines where the very first character is a “#” is considered a comment and not used as a pattern. Whitespace in the pattern files is not used.

  • patterns_raw.txt – Raw string matching
  • patterns-iraw.txt – Case insensitive raw string matching
  • patterns-re.txt– Regular expression matching.

More

Copyright (C) 2017 scr34m

Anastasis Vasileiadis

PC Technical || Penetration Tester || Ethical Hacker || Cyber Security Expert || Cyber Security Analyst || Information Security Researcher || Malware analyst || Malware Investigator || Reverse Engineering