PHP malware scanner v1.0.4 releases: Scans PHP files for malwares and known threats
PHP malware scanner
Traversing directories for files with php extensions and testing files against text or regexp rules, the rules-based on self-gathered samples and publicly available malwares/webshells. The goal is to find infected files and fight against kiddies, because too easy to bypass rules.
Changelog v1.0.4
- Merge pull request #52 from cbotsikas/fix-php-support
- Use array() instead of the short array syntax []
Download
git clone https://github.com/scr34m/php-malware-scanner.git
Use
Usage: php scan.php -d <directory>
-h --help Show this help message
-d <directory> --directory Directory for searching
-e <file extension> --extension File Extension to Scan
-E --scan-everything Scan all files, with or without extensions
-i <directory|file> --ignore Directory of file to ignore
-a --all-output Enables --checksum,--comment,--pattern,--time
-b --base64 Scan for base64 encoded PHP keywords
-m --checksum Display MD5 Hash/Checksum of file
-c --comment Display comments for matched patterns
-x --extra-check Adds GoogleBot and htaccess to Scan List
-l --follow-symlink Follow symlinked directories
-k --hide-ok Hide results with 'OK' status
-w --hide-whitelist Hide results with 'WL' status
-n --no-color Disable color mode
-s --no-stop Continue scanning file after first hit
-p --pattern Show Patterns next to the file name
-t --time Show time of last file change
-L --line-number Display matching pattern line number in file
-o --output-format Custom defined output format
-j --wordpress-version Version of wordpress to get md5 signatures
--combined-whitelist Combined whitelist
Ignore argument could be used multiple times and accept glob-style matching ex.: “cache*
“, “??-cache.php
” or “/cache
” etc.
Extension argument defaults to “.php
” and also can be used multiple times too.
--base64
is an alternative scan mode which ignores the main pattern files and uses a large list of php keywords and functions that have been converted to base64. Slower and prone to false positives, but gives additional base64 scanning coverage. These pattern files are located in base64_patterns and were derived from php 7 keywords and functions. Not many PHP extensions are included.--comment
flag will display the last comment to appear in the pattern file before the matched pattern, so documenting the pattern files is important.
Output formatting
Default output depending on the specified parameters, but the full format is “%S %T %M # {%F} %C %P # %L” and using ANSI coloring too.
Possible variables are:
%S
– matching indicator, possible values are OK, ER, WL%T
– file change time%M
– file md5 hash value%F
– file with path%P
– pattern%C
– pattern comment%L
– matching pattern line number
Patterns
There
are three main pattern files the cover different types of pattern
matching. There is one pattern per line. All lines where the very first
character is a “#
” is considered a comment and not used as a pattern. Whitespace in the pattern files is not used.
patterns_raw.txt
– Raw string matchingpatterns-iraw.txt
– Case insensitive raw string matchingpatterns-re.txt
– Regular expression matching.
More…
Copyright (C) 2017 scr34m