README.md


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82

# PHP Malware Finder

 ```
  _______  __   __  _______
 |  ___  ||  |_|  ||       |
 | |   | ||       ||    ___|
 | |___| ||       ||   |___   Webshell finder,
 |    ___||       ||    ___|   kiddies hunter,
 |   |    | ||_|| ||   |		website cleaner.
 |___|    |_|   |_||___|

Detect potentially malicious PHP files.
```

## What does it detect?

PHP-malware-finder does its very best to detect obfuscated/dodgy code as well as
files using PHP functions often used in malwares/webshells.

The following list of encoders/obfuscators/webshells are also detected:

* [Best PHP Obfuscator]( http://www.pipsomania.com/best_php_obfuscator.do )
* [Carbylamine]( https://code.google.com/p/carbylamine/ )
* [Cipher Design]( http://cipherdesign.co.uk/service/php-obfuscator )
* [Cyklodev]( http://sysadmin.cyklodev.com/online-php-obfuscator/ )
* [Joes Web Tools Obfuscator]( http://www.joeswebtools.com/security/php-obfuscator/ )
* [Php Obfuscator Encode]( http://w3webtools.com/encode-php-online/ )
* [SpinObf]( http://mohssen.org/SpinObf.php )
* [Weevely3]( https://github.com/epinna/weevely3 )
* [atomiku]( http://atomiku.com/online-php-code-obfuscator/ )
* [cobra obfuscator]( http://obfuscator.uk/example/ )
* [phpencode]( http://phpencode.org )
* [webtoolsvn]( http://www.webtoolsvn.com/en-decode/ )
* [tennc]( http://tennc.github.io/webshell/ )
* [web-malware-collection]( https://github.com/nikicat/web-malware-collection )


Of course it's easy to bypass PMF, but its goal is to catch kiddies and idiots,
not people with a working brain.

## How does it work?

Detection is performed by crawling the filesystem and testing files against a
[set]( https://github.com/nbs-system/php-malware-finder/blob/master/malwares.yara )
of [YARA](https://plusvic.github.io/yara/) rules. Yes, it's that simple!


## How to use it?

```
$ ./phpmalwarefinder -h
Usage phpmalwarefinder [-cfhw] <file|folder> ...
	-c  Optional path to a configuration file
	-f  Fast mode
	-h  Show this help message
    -t  Specify the number of threads to use (8 by default)
	-v  Verbose mode
```

Or if you prefer to use `yara`:

```
$ yara -r ./malwares.yara /var/www
```

Please keep in mind that you should use at least YARA 3.2 because we're using
[hashes]( https://yara.readthedocs.org/en/latest/modules/hash.html ) for the
whitelist system.

## Whitelisting

Check the [whitelist.yara]( https://github.com/nbs-system/php-malware-finder/blob/master/whitelist.yara ) file.
If you're lazy, you can generate whitelists for entire folders with the
[generate_whitelist.py]( https://github.com/nbs-system/php-malware-finder/blob/master/generate_whitelist.py ) script.

## Licensing

PHP-malware-finder is [licensed]( https://github.com/nbs-system/php-malware-finder/blob/master/LICENSE ) under the GNU General Public License v3.

The _amazing_ YARA project is licensed under the Apache v2.0 license.

Patches, whitelists or samples are of course more than welcome.