The following list of encoders/obfuscators/webshells are also detected:
Best PHP Obfuscator
Joes Web Tools Obfuscator
Php Obfuscator Encode
Of course it’s trivial to bypass PMF, but its goal is to catch kiddies and idiots, not people with a working brain. If you report a stupid tailored bypass for PMF, you likely belong to one (or both) category, and should re-read the previous statement.
How does it work?
Detection is performed by crawling the filesystem and testing files against a set of YARA rules. Yes, it’s that simple!
Instead of using an hash-based approach, PMF tries as much as possible to use semantic patterns, to detect things like “a $_GET variable is decoded two times, unziped, and then passed to some dangerous function like system“.
git clone http://ift.tt/2qNfWHL
$ ./phpmalwarefinder -h
Usage phpmalwarefinder [-cfhtv] [-l (php|asp)] …
-c Optional path to a configuration file
-f Fast mode
-h Show this help message
-t Specify the number of threads to use (8 by default)
-v Verbose mode
-l Set language (‘asp’, ‘php’)
Or if you prefer to use yara:
$ yara -r ./php.yar /var/www
$ yara -r ./asp.yar /var/www