Add a license and a readme

author: jvoisin 2015-07-13 14:41:39 +0200
committer: jvoisin 2015-07-13 14:41:39 +0200
commit: 555378346304c9ce8855a8ee428d845ab3144469 (patch)
tree: 540bbbfe88a98714cebcc92f9442eb0ddcc0c336 /README.md
parent: 8e27514c47d3d44ae070d55631df595248a9c0d9 (diff)
1 files changed, 69 insertions, 0 deletions
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..15b1d08
--- /dev/null
+++ b/README.md
@@ -0,0 +1,69 @@
+# PHP Malware Finder
+ ```
+  _______  __   __  _______
+ |  ___  ||  |_|  ||       |
+ | |   | ||       ||    ___|
+ | |___| ||       ||   |___   Webshell finder,
+ |    ___||       ||    ___|   kiddies hunter,
+ |   |    | ||_|| ||   |                website cleaner.
+ |___|    |_|   |_||___|
+Detect potentially malicious PHP files.
+```
+## What does it detect?
+PHP-malware-finder does its very best to detect obfuscated/dodgy code as well as files using PHP functions often used in malwares/webshells.
+The following list of encoders/obfuscators/webshells are also detected:
+* [Best PHP Obfuscator]( http://www.pipsomania.com/best_php_obfuscator.do )
+* [Carbylamine]( https://code.google.com/p/carbylamine/ )
+* [Cipher Design]( http://cipherdesign.co.uk/service/php-obfuscator )
+* [Cyklodev]( http://sysadmin.cyklodev.com/online-php-obfuscator/ )
+* [Joes Web Tools Obfuscator]( http://www.joeswebtools.com/security/php-obfuscator/ )
+* [Php Obfuscator Encode]( http://w3webtools.com/encode-php-online/ )
+* [SpinObf]( http://mohssen.org/SpinObf.php )
+* [Weevely3]( https://github.com/epinna/weevely3 )
+* [atomiku]( http://atomiku.com/online-php-code-obfuscator/ )
+* [cobra obfuscator]( http://obfuscator.uk/example/ )
+* [phpencode]( http://phpencode.org )
+* [webtoolsvn]( http://www.webtoolsvn.com/en-decode/ )
+## How does it work?
+Detection is performed by crawling the filesystem and testing files against a [set]( https://github.com/nbs-system/php-malware-finder/blob/master/malwares.yara )
+of [YARA](https://plusvic.github.io/yara/) rules. Yes, it's that simple!
+## How to use it?
+```
+$ ./phpmalwarefinder -h
+Usage phpmalwarefinder [-cfhw] <file|folder> ...
+        -c  Optional path to a configuration file
+        -f  Fast mode
+        -h  Show this help message
+        -v  Verbose mode
+```
+Or if you prefer to use `yara`:
+```
+$ yara -r ./malwares.yara /var/www
+```
+## Whitelisting
+Check the [whitelist.yara]( https://github.com/nbs-system/php-malware-finder/blob/master/whitelist.yara ) file.
+If you're lazy, you can generate whitelists for entire folders with the [generate_whitelist.py]( https://github.com/nbs-system/php-malware-finder/blob/master/generate_whitelist.py ) script.
+## Licensing
+PHP-malware-finder is [licensed]( https://github.com/nbs-system/php-malware-finder/blob/master/LICENSE ) under the GNU General Public License v3.
+YARA (which is bundled with this software) is licensed under the Apache v2.0 license.
+Patches, whitelists or samples are of course more than welcome.
author	jvoisin	2015-07-13 14:41:39 +0200
committer	jvoisin	2015-07-13 14:41:39 +0200
commit	555378346304c9ce8855a8ee428d845ab3144469 (patch)
tree	540bbbfe88a98714cebcc92f9442eb0ddcc0c336 /README.md
parent	8e27514c47d3d44ae070d55631df595248a9c0d9 (diff)

diff --git a/README.md b/README.md new file mode 100644 index 0000000..15b1d08 --- /dev/null +++ b/README.md
@@ -0,0 +1,69 @@
	1	# PHP Malware Finder
	2
	3	```
	4	_______ __ __ _______
	5	\| ___ \|\| \|_\| \|\| \|
	6	\| \| \| \|\| \|\| ___\|
	7	\| \|___\| \|\| \|\| \|___ Webshell finder,
	8	\| ___\|\| \|\| ___\| kiddies hunter,
	9	\| \| \| \|\|_\|\| \|\| \| website cleaner.
	10	\|___\| \|_\| \|_\|\|___\|
	11
	12	Detect potentially malicious PHP files.
	13	```
	14
	15	## What does it detect?
	16
	17	PHP-malware-finder does its very best to detect obfuscated/dodgy code as well as files using PHP functions often used in malwares/webshells.
	18
	19	The following list of encoders/obfuscators/webshells are also detected:
	20
	21	* [Best PHP Obfuscator]( http://www.pipsomania.com/best_php_obfuscator.do )
	22	* [Carbylamine]( https://code.google.com/p/carbylamine/ )
	23	* [Cipher Design]( http://cipherdesign.co.uk/service/php-obfuscator )
	24	* [Cyklodev]( http://sysadmin.cyklodev.com/online-php-obfuscator/ )
	25	* [Joes Web Tools Obfuscator]( http://www.joeswebtools.com/security/php-obfuscator/ )
	26	* [Php Obfuscator Encode]( http://w3webtools.com/encode-php-online/ )
	27	* [SpinObf]( http://mohssen.org/SpinObf.php )
	28	* [Weevely3]( https://github.com/epinna/weevely3 )
	29	* [atomiku]( http://atomiku.com/online-php-code-obfuscator/ )
	30	* [cobra obfuscator]( http://obfuscator.uk/example/ )
	31	* [phpencode]( http://phpencode.org )
	32	* [webtoolsvn]( http://www.webtoolsvn.com/en-decode/ )
	33
	34
	35	## How does it work?
	36
	37	Detection is performed by crawling the filesystem and testing files against a [set]( https://github.com/nbs-system/php-malware-finder/blob/master/malwares.yara )
	38	of [YARA](https://plusvic.github.io/yara/) rules. Yes, it's that simple!
	39
	40
	41	## How to use it?
	42
	43	```
	44	$ ./phpmalwarefinder -h
	45	Usage phpmalwarefinder [-cfhw] <file\|folder> ...
	46	-c Optional path to a configuration file
	47	-f Fast mode
	48	-h Show this help message
	49	-v Verbose mode
	50	```
	51
	52	Or if you prefer to use `yara`:
	53
	54	```
	55	$ yara -r ./malwares.yara /var/www
	56	```
	57
	58	## Whitelisting
	59
	60	Check the [whitelist.yara]( https://github.com/nbs-system/php-malware-finder/blob/master/whitelist.yara ) file.
	61	If you're lazy, you can generate whitelists for entire folders with the [generate_whitelist.py]( https://github.com/nbs-system/php-malware-finder/blob/master/generate_whitelist.py ) script.
	62
	63	## Licensing
	64
	65	PHP-malware-finder is [licensed]( https://github.com/nbs-system/php-malware-finder/blob/master/LICENSE ) under the GNU General Public License v3.
	66
	67	YARA (which is bundled with this software) is licensed under the Apache v2.0 license.
	68
	69	Patches, whitelists or samples are of course more than welcome.