Download the PHP package scr34m/php-malware-scanner without Composer
On this page you can find all versions of the php package scr34m/php-malware-scanner. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download scr34m/php-malware-scanner
More information about scr34m/php-malware-scanner
Files in scr34m/php-malware-scanner
Package php-malware-scanner
Short Description Scans PHP files for malwares and known threats
License GPL-3.0
Homepage https://github.com/scr34m/php-malware-scanner
FAQ
Example:
In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
- Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
- To use Composer is sometimes complicated. Especially for beginners.
- Composer needs much resources. Sometimes they are not available on a simple webspace.
- If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
- Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Informations about the package php-malware-scanner
PHP malware scanner
Traversing directories for files with php extensions and testing files against text or regexp rules, the rules based on self gathered samples and publicly available malwares/webshells. The goal is to find infected files and fight against kiddies, because to easy to bypass rules.
How to install?
Simply clone the repository or with composer install globally composer global require scr34m/php-malware-scanner.
How to use?
Ignore argument could be used multiple times and accept glob style matching ex.: "cache*", "??-cache.php" or "/cache" etc.
Extension argument defaults to ".php" and also can be used multiple times too.
--base64is an alternative scan mode which ignores the main pattern files and uses a large list of php keywords and functions that have been converted to base64. Slower and prone to false positives, but gives additional base64 scanning coverage. These pattern files are located in base64_patterns and were derived from php 7 keywords and functions. Not many PHP extensions are included.--commentflag will display the last comment to appear in the pattern file before the matched pattern, so documenting the pattern files is important.
Output formatting
Default output depending on the specified parameters, but the full format is "%S %T %M # {%F} %C %P # %L" and using ANSI coloring too.
Possible variables are:
%S- matching indicator, possible values are OK, ER, WL%T- file change time%M- file md5 hash value%F- file with path%P- pattern%C- pattern comment%L- matching pattern line number
Patterns
There are three main pattern files the cover different types of pattern matching. There is one pattern per line. All lines where the very first character is a "#" is considered a comment and not used as a pattern. Whitespace in the pattern files is not used.
patterns_raw.txt- Raw string matchingpatterns-iraw.txt- Case insensitive raw string matchingpatterns-re.txt- Regular expression matching.
Whitelisting
See whitelist.txt file for a predefined MD5 hash list. Only the first 32 characters are used, rest of the line ignored so feel free to leave a comment.
Wordpress md5 sum whitelisting
You can automatically add md5sum from wordpress core files by specifing version as argument to --wordpress-version or -j. Example:
That will automatically get md5sums from wordpress api (https://api.wordpress.org/core/checksums/1.0/?version=x.x.x) and add it to whitelist. To check your version simply check wp-includes/version.php file of your wordpress
Combined whitelist
This list is a pre generated database for opensource projects more information at https://scr34m.github.io/php-malware-scanner/ site. The scanner check for database hash validity and only download if it is different and of course when argument used.
Tools
text2base64.py
Takes a plaintext string as input and returns 3 base64 string equivalents. Python script that needs to be executed from the terminal to be used.
It is worth noting that the presence of one of the three output strings in a block of text does not 100% guarantee that the string was present in the original code. It is guaranteed that IF the subject string was present in the original code, then one of the three output strings will be present in the base64 version.
An example: The presence of 'YmFzZTY0X2RlY29kZ' does not guarantee that 'base64_decode' is in the plain text code.
It is guaranteed that IF 'base64_decode' was present in the plain text code, then one of these three base64 strings WILL be present.
The presence of 'YmFzZTY0X2RlY29kZ' in a block of code may be because 'ase64_decod' was in the original code.
ote the missing edge characters which is due to bit misalignment and character bleed.
Using as library
The scan.php perform a check, that it's called by commandline or not, so to use as library use different directory than scan.php it self.
Resources
- PHPScanner
- PMF - PHP Malware Finder
- check regexp online
- malware samples 1
- malware samples 2
- malware samples 3
- malware samples 4
Licensing
PHP malware scanner is licensed under the GNU General Public License v3.
