1 files changed, 78 insertions, 0 deletions
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..67dad30
--- /dev/null
+++ b/README.md
@@ -0,0 +1,78 @@
+# PHP Malware Finder
+ ```
+  _______  __   __  _______
+ |  ___  ||  |_|  ||       |
+ | |   | ||       ||    ___|
+ | |___| ||       ||   |___   Webshell finder,
+ |    ___||       ||    ___|   kiddies hunter,
+ |   |    | ||_|| ||   |                website cleaner.
+ |___|    |_|   |_||___|
+Detect potentially malicious PHP files.
+```
+## What does it detect?
+PHP-malware-finder does its very best to detect obfuscated/dodgy code as well as
+files using PHP functions often used in malwares/webshells.
+The following list of encoders/obfuscators/webshells are also detected:
+* [Best PHP Obfuscator]( http://www.pipsomania.com/best_php_obfuscator.do )
+* [Carbylamine]( https://code.google.com/p/carbylamine/ )
+* [Cipher Design]( http://cipherdesign.co.uk/service/php-obfuscator )
+* [Cyklodev]( http://sysadmin.cyklodev.com/online-php-obfuscator/ )
+* [Joes Web Tools Obfuscator]( http://www.joeswebtools.com/security/php-obfuscator/ )
+* [Php Obfuscator Encode]( http://w3webtools.com/encode-php-online/ )
+* [SpinObf]( http://mohssen.org/SpinObf.php )
+* [Weevely3]( https://github.com/epinna/weevely3 )
+* [atomiku]( http://atomiku.com/online-php-code-obfuscator/ )
+* [cobra obfuscator]( http://obfuscator.uk/example/ )
+* [phpencode]( http://phpencode.org )
+* [webtoolsvn]( http://www.webtoolsvn.com/en-decode/ )
+* [tennc]( http://tennc.github.io/webshell/ )
+* [web-malware-collection]( https://github.com/nikicat/web-malware-collection )
+Of course it's easy to bypass PMF, but its goal is to catch kiddies and idiots,
+not people with a working brain.
+## How does it work?
+Detection is performed by crawling the filesystem and testing files against a
+[set]( https://github.com/nbs-system/php-malware-finder/blob/master/malwares.yara )
+of [YARA](https://plusvic.github.io/yara/) rules. Yes, it's that simple!
+## How to use it?
+```
+$ ./phpmalwarefinder -h
+Usage phpmalwarefinder [-cfhw] <file|folder> ...
+        -c  Optional path to a configuration file
+        -f  Fast mode
+        -h  Show this help message
+    -t  Specify the number of threads to use (8 by default)
+        -v  Verbose mode
+```
+Or if you prefer to use `yara`:
+```
+$ yara -r ./malwares.yara /var/www
+```
+## Whitelisting
+Check the [whitelist.yara]( https://github.com/nbs-system/php-malware-finder/blob/master/whitelist.yara ) file.
+If you're lazy, you can generate whitelists for entire folders with the
+[generate_whitelist.py]( https://github.com/nbs-system/php-malware-finder/blob/master/generate_whitelist.py ) script.
+## Licensing
+PHP-malware-finder is [licensed]( https://github.com/nbs-system/php-malware-finder/blob/master/LICENSE ) under the GNU General Public License v3.
+The _amazing_ YARA project is licensed under the Apache v2.0 license.
+Patches, whitelists or samples are of course more than welcome.

diff --git a/README.md b/README.md new file mode 100644 index 0000000..67dad30 --- /dev/null +++ b/README.md
@@ -0,0 +1,78 @@
	1	# PHP Malware Finder
	2
	3	```
	4	_______ __ __ _______
	5	\| ___ \|\| \|_\| \|\| \|
	6	\| \| \| \|\| \|\| ___\|
	7	\| \|___\| \|\| \|\| \|___ Webshell finder,
	8	\| ___\|\| \|\| ___\| kiddies hunter,
	9	\| \| \| \|\|_\|\| \|\| \| website cleaner.
	10	\|___\| \|_\| \|_\|\|___\|
	11
	12	Detect potentially malicious PHP files.
	13	```
	14
	15	## What does it detect?
	16
	17	PHP-malware-finder does its very best to detect obfuscated/dodgy code as well as
	18	files using PHP functions often used in malwares/webshells.
	19
	20	The following list of encoders/obfuscators/webshells are also detected:
	21
	22	* [Best PHP Obfuscator]( http://www.pipsomania.com/best_php_obfuscator.do )
	23	* [Carbylamine]( https://code.google.com/p/carbylamine/ )
	24	* [Cipher Design]( http://cipherdesign.co.uk/service/php-obfuscator )
	25	* [Cyklodev]( http://sysadmin.cyklodev.com/online-php-obfuscator/ )
	26	* [Joes Web Tools Obfuscator]( http://www.joeswebtools.com/security/php-obfuscator/ )
	27	* [Php Obfuscator Encode]( http://w3webtools.com/encode-php-online/ )
	28	* [SpinObf]( http://mohssen.org/SpinObf.php )
	29	* [Weevely3]( https://github.com/epinna/weevely3 )
	30	* [atomiku]( http://atomiku.com/online-php-code-obfuscator/ )
	31	* [cobra obfuscator]( http://obfuscator.uk/example/ )
	32	* [phpencode]( http://phpencode.org )
	33	* [webtoolsvn]( http://www.webtoolsvn.com/en-decode/ )
	34	* [tennc]( http://tennc.github.io/webshell/ )
	35	* [web-malware-collection]( https://github.com/nikicat/web-malware-collection )
	36
	37
	38	Of course it's easy to bypass PMF, but its goal is to catch kiddies and idiots,
	39	not people with a working brain.
	40
	41	## How does it work?
	42
	43	Detection is performed by crawling the filesystem and testing files against a
	44	[set]( https://github.com/nbs-system/php-malware-finder/blob/master/malwares.yara )
	45	of [YARA](https://plusvic.github.io/yara/) rules. Yes, it's that simple!
	46
	47
	48	## How to use it?
	49
	50	```
	51	$ ./phpmalwarefinder -h
	52	Usage phpmalwarefinder [-cfhw] <file\|folder> ...
	53	-c Optional path to a configuration file
	54	-f Fast mode
	55	-h Show this help message
	56	-t Specify the number of threads to use (8 by default)
	57	-v Verbose mode
	58	```
	59
	60	Or if you prefer to use `yara`:
	61
	62	```
	63	$ yara -r ./malwares.yara /var/www
	64	```
	65
	66	## Whitelisting
	67
	68	Check the [whitelist.yara]( https://github.com/nbs-system/php-malware-finder/blob/master/whitelist.yara ) file.
	69	If you're lazy, you can generate whitelists for entire folders with the
	70	[generate_whitelist.py]( https://github.com/nbs-system/php-malware-finder/blob/master/generate_whitelist.py ) script.
	71
	72	## Licensing
	73
	74	PHP-malware-finder is [licensed]( https://github.com/nbs-system/php-malware-finder/blob/master/LICENSE ) under the GNU General Public License v3.
	75
	76	The _amazing_ YARA project is licensed under the Apache v2.0 license.
	77
	78	Patches, whitelists or samples are of course more than welcome.