定制 scr34m/php-malware-scanner 二次开发

按需修改功能、优化性能、对接业务系统,提供一站式技术支持

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

scr34m/php-malware-scanner

Composer 安装命令:

composer require scr34m/php-malware-scanner

包简介

Scans PHP files for malwares and known threats

README 文档

README

Traversing directories for files with php extensions and testing files against text or regexp rules, the rules based on self gathered samples and publicly available malwares/webshells. The goal is to find infected files and fight against kiddies, because to easy to bypass rules.

How to install?

Simply clone the repository or with composer install globally composer global require scr34m/php-malware-scanner.

How to use?

Usage: php scan.php -d <directory>
    -h                   --help               Show this help message
    -d <directory>       --directory          Directory for searching
    -e <file extension>  --extension          File Extension to Scan
    -E                   --scan-everything    Scan all files, with or without extensions
    -i <directory|file>  --ignore             Directory of file to ignore
    -a                   --all-output         Enables --checksum,--comment,--pattern,--time
    -b                   --base64             Scan for base64 encoded PHP keywords
    -m                   --checksum           Display MD5 Hash/Checksum of file
    -c                   --comment            Display comments for matched patterns
    -x                   --extra-check        Adds GoogleBot and htaccess to Scan List
    -l                   --follow-symlink     Follow symlinked directories
    -k                   --hide-ok            Hide results with 'OK' status
    -r                   --hide-err           Hide results with 'ER' status
    -w                   --hide-whitelist     Hide results with 'WL' status
    -n                   --no-color           Disable color mode
    -s                   --no-stop            Continue scanning file after first hit
    -p                   --pattern            Show Patterns next to the file name
    -t                   --time               Show time of last file change
    -L                   --line-number        Display matching pattern line number in file
    -o                   --output-format      Custom defined output format
    -j <version>         --wordpress-version  Version of wordpress to get md5 signatures
                         --combined-whitelist Combined whitelist
                         --custom-whitelist   Loads whitelist from specified file and merge with existing
                         --disable-stats      Disable statistics output

Ignore argument could be used multiple times and accept glob style matching ex.: "cache*", "??-cache.php" or "/cache" etc.

Extension argument defaults to ".php" and also can be used multiple times too.

  • --base64 is an alternative scan mode which ignores the main pattern files and uses a large list of php keywords and functions that have been converted to base64. Slower and prone to false positives, but gives additional base64 scanning coverage. These pattern files are located in base64_patterns and were derived from php 7 keywords and functions. Not many PHP extensions are included.
  • --comment flag will display the last comment to appear in the pattern file before the matched pattern, so documenting the pattern files is important.

Output formatting

Default output depending on the specified parameters, but the full format is "%S %T %M # {%F} %C %P # %L" and using ANSI coloring too.

Possible variables are:

  • %S - matching indicator, possible values are OK, ER, WL
  • %T - file change time
  • %M - file md5 hash value
  • %F - file with path
  • %P - pattern
  • %C - pattern comment
  • %L - matching pattern line number

Patterns

There are three main pattern files the cover different types of pattern matching. There is one pattern per line. All lines where the very first character is a "#" is considered a comment and not used as a pattern. Whitespace in the pattern files is not used.

  • patterns_raw.txt - Raw string matching
  • patterns-iraw.txt - Case insensitive raw string matching
  • patterns-re.txt- Regular expression matching.

Whitelisting

See whitelist.txt file for a predefined MD5 hash list. Only the first 32 characters are used, rest of the line ignored so feel free to leave a comment.

Wordpress md5 sum whitelisting

You can automatically add md5sum from wordpress core files by specifing version as argument to --wordpress-version or -j. Example:

scan -d . -j 4.9.2

That will automatically get md5sums from wordpress api (https://api.wordpress.org/core/checksums/1.0/?version=x.x.x) and add it to whitelist. To check your version simply check wp-includes/version.php file of your wordpress

Combined whitelist

This list is a pre generated database for opensource projects more information at https://scr34m.github.io/php-malware-scanner/ site. The scanner check for database hash validity and only download if it is different and of course when argument used.

Tools

text2base64.py

Takes a plaintext string as input and returns 3 base64 string equivalents. Python script that needs to be executed from the terminal to be used.

It is worth noting that the presence of one of the three output strings in a block of text does not 100% guarantee that the string was present in the original code. It is guaranteed that IF the subject string was present in the original code, then one of the three output strings will be present in the base64 version.

$ python tools/text2base64.py 'base64_decode'  
YmFzZTY0X2RlY29kZ  
Jhc2U2NF9kZWNvZG  
iYXNlNjRfZGVjb2Rl

An example: The presence of 'YmFzZTY0X2RlY29kZ' does not guarantee that 'base64_decode' is in the plain text code.
It is guaranteed that IF 'base64_decode' was present in the plain text code, then one of these three base64 strings WILL be present. The presence of 'YmFzZTY0X2RlY29kZ' in a block of code may be because 'ase64_decod' was in the original code.
ote the missing edge characters which is due to bit misalignment and character bleed.

Using as library

The scan.php perform a check, that it's called by commandline or not, so to use as library use different directory than scan.php it self.

<?php

require_once '../scan.php';

$scan = new MalwareScanner();
$scan->setFlagHideWhitelist(true);
$scan->setFlagHideOk(true);
$scan->run('../samples/test');

Resources

Licensing

PHP malware scanner is licensed under the GNU General Public License v3.

Docker Usage

You can also run the scanner using Docker:

  1. Build the image:
docker build -t php-malware-scanner .
  1. Scan a directory:
docker run -v /path/to/scan:/code php-malware-scanner -d /code

For example, to scan a WordPress installation:

docker run -v /var/www/html:/code php-malware-scanner -d /code -j 6.4.1

Common usage with flags:

# Show only infected files (hide OK status)
docker run -v /path/to/scan:/code php-malware-scanner -d /code -k

# Show comments for matched patterns
docker run -v /path/to/scan:/code php-malware-scanner -d /code -c

# Show MD5 hashes and continue after first match
docker run -v /path/to/scan:/code php-malware-scanner -d /code -m -s

The /code directory inside the container is where your files will be mounted for scanning.

scr34m/php-malware-scanner 适用场景与选型建议

scr34m/php-malware-scanner 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 51.49k 次下载、GitHub Stars 达 603, 最近一次更新时间为 2018 年 03 月 06 日, 在 PHP 生态内属于活跃度较高的组件。

它主要适用于以下技术方向: 「commandline」 「scanner」 「malware」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。

我们在过去多个企业项目中使用过 scr34m/php-malware-scanner 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 scr34m/php-malware-scanner 我们能提供哪些服务?
定制开发 / 二次开发

基于 scr34m/php-malware-scanner 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 51.49k
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 603
  • 点击次数: 31
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 603
  • Watchers: 40
  • Forks: 101
  • 开发语言: PHP

其他信息

  • 授权协议: GPL-3.0
  • 更新时间: 2018-03-06