Detect potentially malicious PHP files
Switch branches/tags
Nothing to show
Clone or download
Pull request Compare This branch is 1 commit ahead, 256 commits behind nbs-system:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
package
LICENSE
README.md
generate_whitelist.py
malwares.yara
phpmalwarefinder
poc.py
whitelist.yara

README.md

PHP Malware Finder

 _______  __   __  _______
|  ___  ||  |_|  ||       |
| |   | ||       ||    ___|
| |___| ||       ||   |___   Webshell finder,
|    ___||       ||    ___|   kiddies hunter,
|   |    | ||_|| ||   |		website cleaner.
|___|    |_|   |_||___|

Detect potentially malicious PHP files.

What does it detect?

PHP-malware-finder does its very best to detect obfuscated/dodgy code as well as files using PHP functions often used in malwares/webshells.

The following list of encoders/obfuscators/webshells are also detected:

How does it work?

Detection is performed by crawling the filesystem and testing files against a set of YARA rules. Yes, it's that simple!

How to use it?

$ ./phpmalwarefinder -h
Usage phpmalwarefinder [-cfhw] <file|folder> ...
	-c  Optional path to a configuration file
	-f  Fast mode
	-h  Show this help message
	-v  Verbose mode

Or if you prefer to use yara:

$ yara -r ./malwares.yara /var/www

Whitelisting

Check the whitelist.yara file. If you're lazy, you can generate whitelists for entire folders with the generate_whitelist.py script.

Licensing

PHP-malware-finder is licensed under the GNU General Public License v3.

The amazing YARA project is licensed under the Apache v2.0 license.

Patches, whitelists or samples are of course more than welcome.