PHP-Antimalware-Scanner
PHP Antimalware Scanner
Description
PHP Antimalware Scanner is a free tool to scan PHP files and analyze your project to find any malicious code inside it.
It provides an interactive text terminal console interface to scan a file, or all files in a given directory (file paths
can be also be managed using --filter-paths
or --ignore-paths
), and find PHP code files that seem to contain malicious
code. When a probable malware is detected, will be asked what action to take (like add to whitelist, delete files, try
clean infected code etc…).
The package can also scan the PHP files in a report mode (--report|-r
), so without interact and outputting anything to
the terminal console. In that case the results will be stored in a report file in html (default) or text
format (--report-format <format>
).
This scanner can work on your own php projects and on a lot of others platform using the right combinations of
configurations (ex. using --lite|-l
flag can help to find less false positivity).
⚠️ Remember that you will be solely responsible for any damage to your computer system or loss of data that
results from such activities. You are solely responsible to adequate protection and backup of the data before execute
the scanner.
How to contribute
Have an idea? Found a bug? Please raise to ISSUES
or PULL REQUEST. Contributions are welcome and are
greatly appreciated! Every little bit helps.
📘 Requirements
-
php 5.5+
- php-xml
- php-zip
- php-mbstring
- php-json
- php-common
- php-curl
- php-gd
📖 Install
Release
You can use one of this method to install the scanner downloading it from github or directly from console.
Download
Go on GitHub page and press on Releases tab or download the raw file from:
Console
-
Run this command from console (scanner will be download on your current directory):
wget https://raw.githubusercontent.com/marcocesarato/PHP-Antimalware-Scanner/master/dist/scanner --no-check-certificate
-
Run the scanner:
php scanner ./dir-to-scan -l ...
-
(Optional) Install as bin command (Unix Bash)
Run this command:wget https://raw.githubusercontent.com/marcocesarato/PHP-Antimalware-Scanner/master/dist/scanner --no-check-certificate -O /usr/bin/awscan.phar && printf "#!/bin/bashnphp /usr/bin/awscan.phar $@" > /usr/bin/awscan && chmod u+x,g+x /usr/bin/awscan.phar && chmod u+x,g+x /usr/bin/awscan && export PATH=$PATH":/usr/bin"
<p> Now you can run the scanner simply with this command: <code>awscan ./dir-to-scan -l...</code> </li> </ol> <h3 dir="auto"> <a rel="nofollow noopener" target="_blank" id="user-content-source" class="anchor" aria-hidden="true" href="#source"></a>Source </h3> <h5 dir="auto"> <a rel="nofollow noopener" target="_blank" id="user-content-download-1" class="anchor" aria-hidden="true" href="#download-1"></a>Download </h5> <p> Click on GitHub page “Clone or download” or download from: </p> <h5 dir="auto"> <a rel="nofollow noopener" target="_blank" id="user-content-git" class="anchor" aria-hidden="true" href="#git"></a>Git </h5> <ol dir="auto"> <li> Install git </li> <li> Copy the command and link from below in your terminal:<br /> <code>git clone https://github.com/marcocesarato/PHP-Antimalware-Scanner</code> </li> <li> Change directories to the new <code>~/PHP-Antimalware-Scanner</code> directory:<br /> <code>cd ~/PHP-Antimalware-Scanner/</code> </li> <li> To ensure that your master branch is up-to-date, use the pull command:<br /> <code>git pull https://github.com/marcocesarato/PHP-Antimalware-Scanner</code> </li> <li> Enjoy </li> </ol> <h2 dir="auto"> <a rel="nofollow noopener" target="_blank" id="user-content-whale-docker" class="anchor" aria-hidden="true" href="#whale-docker"></a>🐳 Docker </h2> <ol dir="auto"> <li> Download the source </li> <li> Build command<br /> <code>docker build --tag amwscan-docker .</code> </li> <li> Run command<br /> <code>docker run -it --rm amwscan-docker bash</code> </li> </ol> <h2 dir="auto"> <a rel="nofollow noopener" target="_blank" id="user-content-mag_right-scanning-mode" class="anchor" aria-hidden="true" href="#mag_right-scanning-mode"></a>🔎 Scanning mode </h2> <p> The first think you need to decide is the strength, you need to calibrate your scan to find less false positive as possible during scanning without miss for real malware.<br /> For this you can choose the aggression level.<br /> The scanner permit to have some predefined modes: </p> <p> Mode<br /> Alias<br /> 🚀<br /> Description </p> <p> None (default) </p> <p> 🔴<br /> Search for all functions, exploits and malware signs without any restrictions </p> <p> Only exploits<br /> <code>-e</code><br /> 🟠<br /> Search only for exploits definitionsUse flag: <code>--only-exploits</code> </p> <p> Lite mode<br /> <code>-l</code><br /> 🟡<br /> Search for exploits with some restrictions and malware signs (on WordPress and others platform could detect less false positivity)Use flag: <code>--lite</code> </p> <p> Only functions<br /> <code>-f</code><br /> 🟡<br /> Search only for functions (on some obfuscated code functions couldn’t be detected) Use flag: <code>--only-functions</code> </p> <p> Only signatures<br /> <code>-s</code><br /> 🟢<br /> Search only for malware signatures (could be a good solution for WordPress and others platform to detect less false positivity)Use flag: <code>--only-signatures</code> </p> <h2 dir="auto"> <a rel="nofollow noopener" target="_blank" id="user-content-computer-usage" class="anchor" aria-hidden="true" href="#computer-usage"></a>💻 Usage </h2> <h3 dir="auto"> <a rel="nofollow noopener" target="_blank" id="user-content-command-line" class="anchor" aria-hidden="true" href="#command-line"></a>Command line </h3> <pre class="notranslate"><code>php amwscan ./mywebsite/http/ -l -s --only-exploits
php amwscan -s –max-filesize=“5MB” php amwscan -s -logs="/user/marco/scanner.log" php amwscan –lite –only-exploits php amwscan –exploits=“double_var2” –functions=“eval, str_replace” php amwscan –ignore-paths="/my/path/.log,/my/path//cache/*"
<p> To check all options check the <a rel="nofollow noopener" target="_blank" href="https://marcocesarato.github.io/PHP-Antimalware-Scanner/options">Documentation</a> </p> <h3 dir="auto"> <a rel="nofollow noopener" target="_blank" id="user-content-suggestions" class="anchor" aria-hidden="true" href="#suggestions"></a>Suggestions </h3> <p> If you are running the scanner on a WordPress project or other popular platform use <code>--only-signatures</code> or <code>--lite</code> flag<br /> to have check with less false positive but this could miss some dangerous exploits like <code>nano</code>. </p> <h3 dir="auto"> <a rel="nofollow noopener" target="_blank" id="user-content-programmatically" class="anchor" aria-hidden="true" href="#programmatically"></a>Programmatically </h3> <p> On programmatically silent mode and auto skip are automatically enabled. </p> <pre>use AMWScanScanner;
$app = new Scanner(); $report = $app->setPathScan(“my/path/to/scan”) ->enableBackups() ->setPathBackups("/my/path/backups") ->enableLiteMode() ->setAutoClean() ->run();
<h5 dir="auto"> <a rel="nofollow noopener" target="_blank" id="user-content-report-object" class="anchor" aria-hidden="true" href="#report-object"></a>Report Object </h5> <pre>object(stdClass) (7) {
[“scanned”] => int(0) [“detected”] => int(0) [“removed”] => array(0) {} [“ignored”] => array(0) {} [“edited”] => array(0) {} [“quarantine”] => array(0) {} [“whitelist”] => array(0) {} }
<h2 dir="auto"> <a rel="nofollow noopener" target="_blank" id="user-content-art-screenshots" class="anchor" aria-hidden="true" href="#art-screenshots"></a>🎨 Screenshots </h2> <h3 dir="auto"> <a rel="nofollow noopener" target="_blank" id="user-content-report" class="anchor" aria-hidden="true" href="#report"></a>Report </h3> <blockquote> <p> HTML report format (<code>default</code>) </p> </blockquote> <h3 dir="auto"> <a rel="nofollow noopener" target="_blank" id="user-content-interactive-cli" class="anchor" aria-hidden="true" href="#interactive-cli"></a>Interactive CLI </h3>