[![Build Status](https://travis-ci.org/nbs-system/php-malware-finder.svg?branch=master)](https://travis-ci.org/nbs-system/php-malware-finder) # PHP Malware Finder ``` _______ __ __ _______ | ___ || |_| || | | | | || || ___| | |___| || || |___ Webshell finder, | ___|| || ___| kiddies hunter, | | | ||_|| || | website cleaner. |___| |_| |_||___| Detect potentially malicious PHP files. ``` ## What does it detect? PHP-malware-finder does its very best to detect obfuscated/dodgy code as well as files using PHP functions often used in malwares/webshells. The following list of encoders/obfuscators/webshells are also detected: * [Best PHP Obfuscator]( http://www.pipsomania.com/best_php_obfuscator.do ) * [Carbylamine]( https://code.google.com/p/carbylamine/ ) * [Cipher Design]( http://cipherdesign.co.uk/service/php-obfuscator ) * [Cyklodev]( http://sysadmin.cyklodev.com/online-php-obfuscator/ ) * [Joes Web Tools Obfuscator]( http://www.joeswebtools.com/security/php-obfuscator/ ) * [Php Obfuscator Encode]( http://w3webtools.com/encode-php-online/ ) * [SpinObf]( http://mohssen.org/SpinObf.php ) * [Weevely3]( https://github.com/epinna/weevely3 ) * [atomiku]( http://atomiku.com/online-php-code-obfuscator/ ) * [cobra obfuscator]( http://obfuscator.uk/example/ ) * [phpencode]( http://phpencode.org ) * [webtoolsvn]( http://www.webtoolsvn.com/en-decode/ ) * [tennc]( http://tennc.github.io/webshell/ ) * [web-malware-collection]( https://github.com/nikicat/web-malware-collection ) * [P.A.S]( http://profexer.name/pas/download.php ) Of course it's **trivial** to bypass PMF, but its goal is to catch kiddies and idiots, not people with a working brain. If you report a stupid tailored bypass for PMF, you likely belong to one (or both) category, and should re-read the previous sentence. ## How does it work? Detection is performed by crawling the filesystem and testing files against a [set](https://github.com/nbs-system/php-malware-finder/blob/master/php-malware-finder/php.yar) of [YARA](https://plusvic.github.io/yara/) rules. Yes, it's that simple! Instead of using an *hash-based* approach, PMF tries as much as possible to use semantic patterns, to detect things like "a `$_GET` variable is decoded two times, unziped, and then passed to some dangerous function like `system`". ## How to use it? ``` $ ./phpmalwarefinder -h Usage phpmalwarefinder [-cfhtv] [-l (php|asp)] ... -c Optional path to a configuration file -f Fast mode -h Show this help message -t Specify the number of threads to use (8 by default) -v Verbose mode -l Set language ('asp', 'php') ``` Or if you prefer to use `yara`: ``` $ yara -r ./php.yar /var/www $ yara -r ./asp.yar /var/www ``` Please keep in mind that you should use at least YARA 3.4 because we're using [hashes]( https://yara.readthedocs.org/en/latest/modules/hash.html ) for the whitelist system, and greedy regexps. Please note that if you plan to build yara from sources, libssl-dev must be installed on your system in order to have support for hashes. Ho, and by the way, you can run the comprehensive testsuite with `make test`. ## Whitelisting Check the [whitelist.yar](https://github.com/nbs-system/php-malware-finder/blob/master/php-malware-finder/whitelist.yar) file. If you're lazy, you can generate whitelists for entire folders with the [generate_whitelist.py](https://github.com/nbs-system/php-malware-finder/blob/master/php-malware-finder/generate_whitelist.py) script. ## Why should I use it instead of something else? Because: - It doesn't use [a single rule per sample]( https://github.com/Neo23x0/signature-base/blob/e264d66a8ea3be93db8482ab3d639a2ed3e9c949/yara/thor-webshells.yar ), since it only cares about finding malicious patterns, not specific webshells - Its whitelist system doesn't rely on filenames - It doesn't rely on (slow) entropy calculation - It uses a ghetto-style static analysis, instead of relying on file hashes - Thanks to the aforementioned pseudo-static analysis, it works on obfuscated files too ## Licensing PHP-malware-finder is [licensed](https://github.com/nbs-system/php-malware-finder/blob/master/php-malware-finder/LICENSE) under the GNU General Public License v3. The _amazing_ YARA project is licensed under the Apache v2.0 license. Patches, whitelists or samples are of course more than welcome.