marcocesarato/PHP-Antimalware-Scanner marcocesarato/PHP-Antimalware-Scanner

  • Stars
    star
    557
  • Rank 79,968 (Top 2 %)
  • Language
    PHP
  • License
    GNU General Publi...
  • Created over 6 years ago
  • Updated about 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
marcocesarato/PHP-Antimalware-Scanner
github

marcocesarato

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

AMWScan (PHP Antimalware Scanner) is a free tool to scan php files and analyze your project to find any malicious code inside it.

Version

PHP Antimalware Scanner

Version Requirements Code Style License GitHub

If this project helped you out, please support us with a star ⭐

Documentation

Description

PHP Antimalware Scanner is a free tool to scan PHP files and analyze your project to find any malicious code inside it.

It provides an interactive text terminal console interface to scan a file, or all files in a given directory (file paths can also be managed using --filter-paths or --ignore-paths), and find PHP code files that seem to contain malicious code. When a probable malware is detected, will be asked what action to take (like add to the whitelist, delete files, try clean infected code, etc).

The package can also scan the PHP files in a report mode (--report|-r), so without interacting and outputting anything to the terminal console. In that case, the results will be stored in a report file in HTML (default) or text format (--report-format <format>).

This scanner can work on your own php projects and on a lot of other platforms using the right combination of configurations (ex. using --lite|-l flag can help to find less false positivity).

⚠️ Remember that you will be solely responsible for any damage to your computer system or loss of data that results from such activities. You are solely responsible for adequate protection and backup of the data before executing the scanner.

How to contribute

Have an idea? Found a bug? Please raise to ISSUES or PULL REQUEST. Contributions are welcome and are greatly appreciated! Every little bit helps.

📘 Requirements

  • php 5.5+
    • php-xml
    • php-zip
    • php-mbstring
    • php-json
    • php-common
    • php-curl
    • php-gd

📖 Install

Release

You can use one of these methods to install the scanner by downloading it from GitHub or directly from the console.

Download

Go to the GitHub page and press on the Releases tab or download the raw file from:

Download

Console

  1. Run this command from the console (the scanner will be downloaded to your current directory):

    wget https://raw.githubusercontent.com/marcocesarato/PHP-Antimalware-Scanner/master/dist/scanner

  2. Run the scanner:

    php scanner ./dir-to-scan -l ...

  3. (Optional) Install as bin command (Unix Bash)

    Run this command:

    wget https://raw.githubusercontent.com/marcocesarato/PHP-Antimalware-Scanner/master/dist/scanner -O /usr/bin/awscan.phar && \
printf "#!/bin/bash\nphp /usr/bin/awscan.phar \$@" > /usr/bin/awscan && \
chmod u+x,g+x /usr/bin/awscan.phar && \
chmod u+x,g+x /usr/bin/awscan && \
export PATH=$PATH":/usr/bin"

    Now you can run the scanner simply with this command: awscan ./dir-to-scan -l...

Source

Download

Click the GitHub page "Clone or download" or download from:

Download

Git
  1. Install git
  2. Copy the command and link from below in your terminal: git clone https://github.com/marcocesarato/PHP-Antimalware-Scanner
  3. Change directories to the new ~/PHP-Antimalware-Scanner directory: cd ~/PHP-Antimalware-Scanner/
  4. To ensure that your master branch is up-to-date, use the pull command: git pull https://github.com/marcocesarato/PHP-Antimalware-Scanner
  5. Enjoy

🐳 Docker

  1. Download the source
  2. Build command docker build --tag amwscan-docker .
  3. Run command docker run -it --rm amwscan-docker bash

🔎 Scanning mode

The first think you need to decide is the strength, you need to calibrate your scan to find less false positive as possible during scanning without miss for real malware. For this you can choose the aggression level.

The scanner permit to have some predefined modes:

Mode Alias 🚀 Description
None (default) 🔴 Search for all functions, exploits and malware signs without any restrictions
Only exploits -e 🟠 Search only for exploits definitions
Use flag: --only-exploits
Lite mode -l 🟡 Search for exploits with some restrictions and malware signs (on Wordpress and others platform could detect less false positivity)
Use flag: --lite
Only functions -f 🟡 Search only for functions (on some obfuscated code functions couldn't be detected)
Use flag: --only-functions
Only signatures -s 🟢 Search only for malware signatures (could be a good solution for Wordpress and others platform to detect less false positivity)
Use flag: --only-signatures

💻 Usage

Command line

php amwscan ./mywebsite/http/ -l -s --only-exploits
php amwscan -s --max-filesize="5MB"
php amwscan -s -logs="/user/marco/scanner.log"
php amwscan --lite --only-exploits
php amwscan --exploits="double_var2" --functions="eval, str_replace"
php amwscan --ignore-paths="/my/path/*.log,/my/path/*/cache/*"

To check all options check the Documentation

Suggestions

If you are running the scanner on a Wordpress project or other popular platform use --only-signatures or --lite flag to have check with less false positive but this could miss some dangerous exploits like nano.

Programmatically

On programmatically silent mode and auto skip are automatically enabled.

use AMWScan\Scanner;

$app = new Scanner();
$report = $app->setPathScan("my/path/to/scan")
              ->enableBackups()
              ->setPathBackups("/my/path/backups")
              ->enableLiteMode()
              ->setAutoClean()
              ->run();
Report Object
object(stdClass) (7) {
  ["scanned"]    => int(0)
  ["detected"]   => int(0)
  ["removed"]    => array(0) {}
  ["ignored"]    => array(0) {}
  ["edited"]     => array(0) {}
  ["quarantine"] => array(0) {}
  ["whitelist"]  => array(0) {}
}

🎨 Screenshots

Report

HTML report format (default)

Screen Report

Interactive CLI

Screen Full

More Repositories

1

react-native-big-list

This is a high performance list view for React Native with support for complex layouts using a similar FlatList usage to make easy the replacement. This list implementation for big list rendering on React Native works with a recycler focused on performance and memory usage and so it permits processing thousands items on the list.
JavaScript
520
star
2

react-native-input-spinner

An extensible input number spinner component for react-native highly customizable. This component enhance a text input for entering numeric values, with increase and decrease buttons.
JavaScript
386
star
3

php-conventional-changelog

A PHP tool built to generate a changelog from a project's commit messages and metadata following the conventionalcommits.org and automate versioning with semver.org.
PHP
217
star
4

Database-Web-API

Dynamically generate RESTful APIs from the contents of a database table. Provides JSON, XML, and HTML. Supports most popular databases
PHP
42
star
5

PHP-AIO-Security

The objective of this class is offer an automatic system of protection for developers's projects and simplify some security operations as the check of CSRF or XSS all in a simple class. Infact you could just call the main method to have better security yet without too much complicated operations.
PHP
37
star
6

dotenv-mono

This package permit to have a centralized dotenv on a monorepo. It also includes some extra features such as manipulation and saving of changes to the dotenv file, a default centralized file, and a file loader with ordering and priorities.
TypeScript
35
star
7

PHP-Light-SQL-Parser

This class can parse SQL to get query type, tables, field values, etc.. It takes an string with a SQL statements and parses it to extract its different components. Currently the class can extract the SQL query method, the names of the tables involved in the query and the field values that are passed as parameters. This parser is pretty light respect phpsqlparser or others php sql parser.
PHP
28
star
8

PHP-Malware-Collection

Collection of php malware/backdoors/shell
PHP
27
star
9

react-native-input-validator

This library validates strings and number passed on TextInput component and highlight the result (valid green, invalid red). Optionally can have a placeholder with floating labels.
JavaScript
14
star
10

PHP-Markdown-Docs

This package can convert PHPDoc comments from classes into Markdown. It can parse a class file with a given file name and extracts the documentation of its functions and variables that it may contain in PHPDoc format. The package can convert the extracted documentation into a file in Markdown format.
PHP
14
star
11

PHP-Minifier

This class can minify HTML, JavaScript and CSS to take less space. It can take a string with either HTML, JavaScript or CSS, and parses it to eliminate unnecessary text. The class returns as result a a string that is smaller than the original.
PHP
12
star
12

Shell-BotKiller

We'll post findings from an infected confluence-systems we investigated recently, to show how it looks/feel like. the most systems we took a look at were infected with mining-bots like kerberods.
Shell
4
star
13

PHP-CPDO

This package can retrieve PDO query results from cache variables. It extends the base PDO class and override some functions to handle database query execution and store the query results in variables. The class can also return query results for cached queries for previously executed queries to retrieve the results faster for repeated queries.
PHP
4
star
14

marcocesarato

2
star
15

react-native-big-list-docs

HTML
1
star