_______ __ __ _______ | ___ || |_| || | | | | || || ___| | |___| || || |___ Webshell finder, | ___|| || ___| kiddies hunter, | | | ||_|| || | website cleaner. |___| |_| |_||___| Detect potentially malicious PHP files.
PHP-malware-finder does its very best to detect obfuscated/dodgy code as well as files using PHP functions often used in malwares/webshells.
The following list of encoders/obfuscators/webshells are also detected:
Of course it's trivial to bypass PMF, but its goal is to catch kiddies and idiots, not people with a working brain. If you report a stupid tailored bypass for PMF, you likely belong to one (or both) category, and should re-read the previous statement.
Instead of using an hash-based approach,
PMF tries as much as possible to use semantic patterns, to detect things like
$_GET variable is decoded two times, unzipped,
and then passed to some dangerous function like
sudo apt-get install yara
yum install yara(requires the EPEL repository)
You can also compile it from source:
git clone [email protected]:VirusTotal/yara.git cd yara/ YACC=bison ./configure make
git clone https://github.com/jvoisin/php-malware-finder.git
$ ./phpmalwarefinder -h Usage phpmalwarefinder [-cfhtvl] <file|folder> ... -c Optional path to a rule file -f Fast mode -h Show this help message -t Specify the number of threads to use (8 by default) -v Verbose mode
Or if you prefer to use
$ yara -r ./php.yar /var/www
Please keep in mind that you should use at least YARA 3.4 because we're using hashes for the whitelist system, and greedy regexps. Please note that if you plan to build yara from sources, libssl-dev must be installed on your system in order to have support for hashes.
Oh, and by the way, you can run the comprehensive testsuite with
PHP-malware-finder is licensed under the GNU Lesser General Public License v3.
The amazing YARA project is licensed under the Apache v2.0 license.
Patches, whitelists or samples are of course more than welcome.