How To Detect Potentially Malicious PHP Files ?
Here is the tool called PHP-malware-finder by nbs-system.
What does it detect?
PHP-malware-finder does its very best to detect obfuscated/dodgy code as well as files using PHP functions often used in malwares/webshells.
The following list of encoders/obfuscators/webshells are also detected:
- Best PHP Obfuscator
- Cipher Design
- Joes Web Tools Obfuscator
- Php Obfuscator Encode
- cobra obfuscator
How does it work?
Detection is performed by crawling the filesystem and testing files against a set of YARA rules. Yes, it's that simple!
How to use it?
$ ./phpmalwarefinder -h
Usage phpmalwarefinder [-cfhw] <file|folder> ...
-c Optional path to a configuration file
-f Fast mode
-h Show this help message
-v Verbose mode
Or if you prefer to use yara:
$ yara -r ./malwares.yara /var/www