_______ __ __ _______
| ___ || |_| || |
| | | || || ___|
| |___| || || |___ Webshell finder,
| ___|| || ___| kiddies hunter,
| | | ||_|| || | website cleaner.
|___| |_| |_||___|
Detect potentially malicious PHP files.
PHP-malware-finder does its very best to detect obfuscated/dodgy code as well as files using PHP functions often used in malwares/webshells.
The following list of encoders/obfuscators/webshells are also detected:
- Best PHP Obfuscator
- Carbylamine
- Cipher Design
- Cyklodev
- Joes Web Tools Obfuscator
- Php Obfuscator Encode
- SpinObf
- Weevely3
- atomiku
- cobra obfuscator
- phpencode
- webtoolsvn
Detection is performed by crawling the filesystem and testing files against a set of YARA rules. Yes, it's that simple!
$ ./phpmalwarefinder -h
Usage phpmalwarefinder [-cfhw] <file|folder> ...
-c Optional path to a configuration file
-f Fast mode
-h Show this help message
-v Verbose mode
Or if you prefer to use yara:
$ yara -r ./malwares.yara /var/www
Check the whitelist.yara file. If you're lazy, you can generate whitelists for entire folders with the generate_whitelist.py script.
PHP-malware-finder is licensed under the GNU General Public License v3.
The amazing YARA project is licensed under the Apache v2.0 license.
Patches, whitelists or samples are of course more than welcome.