[![Build Status](https://travis-ci.org/nbs-system/php-malware-finder.svg?branch=master)](https://travis-ci.org/nbs-system/php-malware-finder)

# PHP Malware Finder

 ```
  _______  __   __  _______
 |  ___  ||  |_|  ||       |
 | |   | ||       ||    ___|
 | |___| ||       ||   |___   Webshell finder,
 |    ___||       ||    ___|   kiddies hunter,
 |   |    | ||_|| ||   |		website cleaner.
 |___|    |_|   |_||___|

Detect potentially malicious PHP files.
```

## What does it detect?

PHP-malware-finder does its very best to detect obfuscated/dodgy code as well as
files using PHP functions often used in malwares/webshells.

The following list of encoders/obfuscators/webshells are also detected:

* [Best PHP Obfuscator]( http://www.pipsomania.com/best_php_obfuscator.do )
* [Carbylamine]( https://code.google.com/p/carbylamine/ )
* [Cipher Design]( http://cipherdesign.co.uk/service/php-obfuscator )
* [Cyklodev]( http://sysadmin.cyklodev.com/online-php-obfuscator/ )
* [Joes Web Tools Obfuscator]( http://www.joeswebtools.com/security/php-obfuscator/ )
* [Php Obfuscator Encode]( http://w3webtools.com/encode-php-online/ )
* [SpinObf]( http://mohssen.org/SpinObf.php )
* [Weevely3]( https://github.com/epinna/weevely3 )
* [atomiku]( http://atomiku.com/online-php-code-obfuscator/ )
* [cobra obfuscator]( http://obfuscator.uk/example/ )
* [phpencode]( http://phpencode.org )
* [webtoolsvn]( http://www.webtoolsvn.com/en-decode/ )
* [tennc]( http://tennc.github.io/webshell/ )
* [web-malware-collection]( https://github.com/nikicat/web-malware-collection )


Of course it's **trivial** to bypass PMF,
but its goal is to catch kiddies and idiots,
not people with a working brain.

If you report a stupid tailored bypass for PMF, you likely belong to one (or
both) category, and should re-read the previous sentence.

## How does it work?

Detection is performed by crawling the filesystem and testing files against a
[set](https://github.com/nbs-system/php-malware-finder/blob/master/php-malware-finder/php.yar)
of [YARA](https://plusvic.github.io/yara/) rules. Yes, it's that simple!


## How to use it?

```
$ ./phpmalwarefinder -h
Usage phpmalwarefinder [-cfhtv] [-l (php|asp)] <file|folder> ...
    -c  Optional path to a configuration file
    -f  Fast mode
    -h  Show this help message
    -t  Specify the number of threads to use (8 by default)
    -v  Verbose mode
    -l  Set language ('asp', 'php')
```

Or if you prefer to use `yara`:

```
$ yara -r ./php.yar /var/www
$ yara -r ./asp.yar /var/www
```

Please keep in mind that you should use at least YARA 3.4 because we're using
[hashes]( https://yara.readthedocs.org/en/latest/modules/hash.html ) for the
whitelist system, and greedy regexps.

Ho, and by the way, you can run the comprehensive testsuite with `make test`.

## Whitelisting

Check the [whitelist.yar](https://github.com/nbs-system/php-malware-finder/blob/master/php-malware-finder/whitelist.yar) file.
If you're lazy, you can generate whitelists for entire folders with the
[generate_whitelist.py](https://github.com/nbs-system/php-malware-finder/blob/master/php-malware-finder/generate_whitelist.py) script.

## Licensing

PHP-malware-finder is [licensed](https://github.com/nbs-system/php-malware-finder/blob/master/php-malware-finder/LICENSE) under the GNU General Public License v3.

The _amazing_ YARA project is licensed under the Apache v2.0 license.

Patches, whitelists or samples are of course more than welcome.