Axcora Security Hunter is an aesthetic, lightweight, and terminal-based security auditor designed specifically for PHP developers. It helps you identify critical security gaps and suspicious code patterns before they can be exploited by hackers.
- 🎨 Aesthetic UI: A modern terminal interface inspired by tools like Astro.js and Vite.
- 📂 Directory Exposure Audit: Automatically detects sensitive folders (
admin,config,vendor,system, etc.) that are publicly accessible due to missing.htaccess. - 🔍 Heuristic Code Analysis: Intelligent scanning for dangerous PHP patterns such as obfuscated backdoors and remote code execution (RCE).
- 💡 Actionable Intelligence: Every threat found comes with a Risk Analysis and Mitigation Tips in plain English.
- 🚀 Zero Dependency: A single PHP file that works out of the box. No database or complex setup required.
Simply download axcora-security.php and place it into your project's root directory.
Open your terminal and run the following command:
php axcora-security.phpAdd this to your composer.json to make it a part of your workflow:
"scripts": {
"axcorasecure": "php axcora-security.php"
}Then just run: composer axcorasecure
Audit Type,Description,Security Risk Directory Protection,Checks for missing .htaccess in sensitive folders.,Potential directory browsing and sensitive data leaks. Obfuscated Code,Detects eval() or system() combined with base64., Hidden backdoors often used by hackers to maintain access. Input Execution,Finds raw $_GET or $_POST passed to dynamic functions., Critical: Allows Remote Command Execution (RCE). Malicious Redirects,Scans for suspicious window.location JavaScript injectors., Phishing or unauthorized traffic redirection (Adware).
| Audit Type | Description | Security Risk |
|---|---|---|
| Directory Protection | Checks for missing .htaccess in sensitive folders. |
Potential directory browsing and sensitive data leaks. |
| Obfuscated Code | Detects eval() or system() combined with base64. |
Hidden backdoors often used by hackers to maintain access. |
| Input Execution | Finds raw $_GET or $_POST passed to dynamic functions. |
Critical: Allows Remote Command Execution (RCE). |
| Malicious Redirects | Scans for suspicious window.location JavaScript injectors. |
Phishing or unauthorized traffic redirection (Adware). |
To help you secure your directories quickly, we have provided an htaccess.example file. If the scanner flags a "warn" on a directory, follow these steps:
- Locate the htaccess.example file to the flagged folder.
- Copy it to the flagged directory (e.g., ./system/ or ./vendor/).
- Rename it to .htaccess.
- Result: The directory is now locked from public access.
- Deny all public access to the folder contents.
- Disable directory browsing (preventing hackers from seeing your file list).
- Prevent script execution inside the folder for maximum hardening.
[!CAUTION] This tool provides indications, not absolute confirmations of malware. This tool uses heuristic patterns that may flag legitimate framework files (False Positives). Always manually review flagged files, especially within core framework directories.
- If the scanner flags a threat, follow these steps:
- For Warnings: Create an .htaccess file in the flagged directory to restrict public access.
- For Failures: Compare the flagged file with a clean backup or official repository.
- For Critical Risks: Sanitize all user inputs and avoid using dynamic execution functions on raw data.
Built with ❤️ by Axcora Technology
Developed and maintained by Axcora Technology. We provide innovative solutions for FinTech, Automation, and Web Security.
- Website: https://www.axcora.com
- Axcora Lab: https://axcora.my.id