Thursday, 24 September 2015

How To Detect Potentially Malicious PHP Files

How To Detect Potentially Malicious PHP Files ?

Here is the tool called PHP-malware-finder by nbs-system

What does it detect?

PHP-malware-finder does its very best to detect obfuscated/dodgy code as well as files using PHP functions often used in malwares/webshells.

The following list of encoders/obfuscators/webshells are also detected:

  • Best PHP Obfuscator
  • Carbylamine
  • Cipher Design
  • Cyklodev
  • Joes Web Tools Obfuscator
  • Php Obfuscator Encode
  • SpinObf
  • Weevely3
  • atomiku
  • cobra obfuscator
  • phpencode
  • webtoolsvn

How does it work?

Detection is performed by crawling the filesystem and testing files against a set of YARA rules. Yes, it's that simple!

How to use it?

$ ./phpmalwarefinder -h
Usage phpmalwarefinder [-cfhw] <file|folder> ...
    -c  Optional path to a configuration file
    -f  Fast mode
    -h  Show this help message
    -v  Verbose mode

Or if you prefer to use yara:

$ yara -r ./malwares.yara /var/www



Post a Comment

Note: only a member of this blog may post a comment.

Toggle Footer