Hướng dẫn php-malware scanner github
Traversing directories for files with php extensions and testing files against text or regexp rules, the rules based on self gathered samples and publicly available malwares/webshells. The goal is to find infected files and fight against kiddies, because to easy to bypass rules. Simply clone the repository or with composer install
globally Ignore argument could be used multiple times and accept glob style matching ex.: " Extension argument defaults to "
Output formattingDefault output depending on the specified parameters, but the full format is "%S %T %M # {%F} %C %P # %L" and using ANSI coloring too. Possible variables are:
PatternsThere are three main pattern files the cover different types of pattern matching. There is one pattern per line. All lines where the very first character is a "
WhitelistingSee whitelist.txt file for a predefined MD5 hash list. Only the first 32 characters are used, rest of the line ignored so feel free to leave a comment. Wordpress md5 sum whitelistingYou can automatically add md5sum from wordpress core files by specifing version as argument to --wordpress-version or -j. Example: That will automatically get md5sums from wordpress api (https://api.wordpress.org/core/checksums/1.0/?version=x.x.x) and add it to whitelist. To check your version simply check wp-includes/version.php file of your wordpress Combined whitelistThis list is a pre generated database for opensource projects more information at https://scr34m.github.io/php-malware-scanner/ site. The scanner check for database hash validity and only download if it is different and of course when argument used. Toolstext2base64.py Takes a plaintext string as input and returns 3 base64 string equivalents. Python script that needs to be executed from the terminal to be used. It is worth noting that the presence of one of the three output strings in a block of text does not 100% guarantee that the string was present in the original code. It is guaranteed that IF the subject string was present in the original code, then one of the three output strings will be present in the base64 version.
An example: The presence of 'YmFzZTY0X2RlY29kZ' does not guarantee that 'base64_decode' is in the plain text code. Using as libraryThe scan.php perform a check, that it's called by commandline or not, so to use as library use different directory than scan.php it self.
require_once '../scan.php';
$scan = new MalwareScanner();
$scan->setFlagHideWhitelist(true);
$scan->setFlagHideOk(true);
$scan->run('../samples/test'); Resources
LicensingPHP malware scanner is licensed under the GNU General Public License v3. |