php-malware-finder,Detect potentially malicious PHP files,detect webshell

PHP-malware-finder does its very best to detect obfuscated/dodgy code as well as files using PHP functions often used in malwares/webshells.

The following list of encoders/obfuscators/webshells are also detected:

Best PHP Obfuscator

Carbylamine

Cipher Design

Cyklodev

Joes Web Tools Obfuscator

P.A.S

PHP Jiami

Php Obfuscator Encode

SpinObf

Weevely3

atomiku

cobra obfuscator

phpencode

tennc

web-malware-collection

webtoolsvn

novahot

Of course it’s trivial to bypass PMF, but its goal is to catch kiddies and idiots, not people with a working brain. If you report a stupid tailored bypass for PMF, you likely belong to one (or both) category, and should re-read the previous statement.

How does it work?

Detection is performed by crawling the filesystem and testing files against a set of YARA rules. Yes, it’s that simple!

Instead of using an hash-based approach, PMF tries as much as possible to use semantic patterns, to detect things like “a $_GET variable is decoded two times, unziped, and then passed to some dangerous function like system“.

Usage

git clone http://ift.tt/2qNfWHL
$ ./phpmalwarefinder -h
Usage phpmalwarefinder [-cfhtv] [-l (php|asp)] …
-c Optional path to a configuration file
-f Fast mode
-h Show this help message
-t Specify the number of threads to use (8 by default)
-v Verbose mode
-l Set language (‘asp’, ‘php’)

Or if you prefer to use yara:

$ yara -r ./php.yar /var/www
$ yara -r ./asp.yar /var/www

The post php-malware-finder | Detect potentially malicious PHP files appeared first on Penetration Testing in Linux. http://ift.tt/2p6db7O http://ift.tt/2aM8QhC

Anúncios

Deixe um comentário

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do WordPress.com

Você está comentando utilizando sua conta WordPress.com. Sair / Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair / Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair / Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair / Alterar )

Conectando a %s