{"id":13519190,"url":"https://github.com/jvoisin/php-malware-finder","last_synced_at":"2025-09-28T21:31:23.859Z","repository":{"id":34484322,"uuid":"38423721","full_name":"jvoisin/php-malware-finder","owner":"jvoisin","description":"Detect potentially malicious PHP files","archived":true,"fork":false,"pushed_at":"2023-10-20T16:02:54.000Z","size":3753,"stargazers_count":1475,"open_issues_count":11,"forks_count":284,"subscribers_count":74,"default_branch":"master","last_synced_at":"2025-01-11T07:42:26.978Z","etag":null,"topics":["antivirus","malware","php","webshell","yara"],"latest_commit_sha":null,"homepage":null,"language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"lgpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jvoisin.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2015-07-02T09:29:21.000Z","updated_at":"2025-01-09T20:27:34.000Z","dependencies_parsed_at":"2023-01-15T07:22:25.729Z","dependency_job_id":"d4df0833-d2ae-41e8-9909-b436fe356642","html_url":"https://github.com/jvoisin/php-malware-finder","commit_stats":{"total_commits":352,"total_committers":26,"mean_commits":"13.538461538461538","dds":0.7727272727272727,"last_synced_commit":"1b85a73a5ee7eca8af9095acfab6fa608a5e0fd4"},"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jvoisin%2Fphp-malware-finder","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jvoisin%2Fphp-malware-finder/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jvoisin%2Fphp-malware-finder/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jvoisin%2Fphp-malware-finder/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jvoisin","download_url":"https://codeload.github.com/jvoisin/php-malware-finder/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":234563155,"owners_count":18853062,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["antivirus","malware","php","webshell","yara"],"created_at":"2024-08-01T05:01:55.321Z","updated_at":"2025-09-28T21:31:23.381Z","avatar_url":"https://github.com/jvoisin.png","language":"PHP","funding_links":[],"categories":["PHP","PHP (184)"],"sub_categories":[],"readme":"![Test Suite](https://github.com/jvoisin/php-malware-finder/actions/workflows/test.yml/badge.svg)\n\n# PHP Malware Finder\n\n ```\n  _______  __   __  _______\n |  ___  ||  |_|  ||       |\n | |   | ||       ||    ___|\n | |___| ||       ||   |___   Webshell finder,\n |    ___||       ||    ___|   kiddies hunter,\n |   |    | ||_|| ||   |\t\twebsite cleaner.\n |___|    |_|   |_||___|\n\nDetect potentially malicious PHP files.\n```\n\n## What does it detect?\n\nPHP-malware-finder does its very best to detect obfuscated/dodgy code as well as\nfiles using PHP functions often used in malwares/webshells.\n\nThe following list of encoders/obfuscators/webshells are also detected:\n\n* [Bantam](https://github.com/gellin/bantam)\n* [Best PHP Obfuscator]( http://www.pipsomania.com/best_php_obfuscator.do )\n* [Carbylamine]( https://code.google.com/p/carbylamine/ )\n* [Cipher Design]( http://cipherdesign.co.uk/service/php-obfuscator )\n* [Cyklodev]( http://sysadmin.cyklodev.com/online-php-obfuscator/ )\n* [Joes Web Tools Obfuscator]( http://www.joeswebtools.com/security/php-obfuscator/ )\n* [P.A.S]( http://profexer.name/pas/download.php )\n* [PHP Jiami]( http://www.phpjiami.com/ )\n* [Php Obfuscator Encode]( http://w3webtools.com/encode-php-online/ )\n* [SpinObf]( http://mohssen.org/SpinObf.php )\n* [Weevely3]( https://github.com/epinna/weevely3 )\n* [atomiku]( http://atomiku.com/online-php-code-obfuscator/ )\n* [cobra obfuscator]( http://obfuscator.uk/example/ )\n* [nano]( https://github.com/UltimateHackers/nano )\n* [novahot]( https://github.com/chrisallenlane/novahot )\n* [phpencode]( http://phpencode.org )\n* [tennc]( http://tennc.github.io/webshell/ )\n* [web-malware-collection]( https://github.com/nikicat/web-malware-collection )\n* [webtoolsvn]( http://www.webtoolsvn.com/en-decode/ )\n* [Kraken-ng]( https://github.com/kraken-ng/ )\n\n\nOf course it's **trivial** to bypass PMF,\nbut its goal is to catch kiddies and idiots,\nnot people with a working brain.\nIf you report a stupid tailored bypass for PMF, you likely belong to one (or\nboth) category, and should re-read the previous statement.\n\n## How does it work?\n\nDetection is performed by crawling the filesystem and testing files against a\n[set](https://github.com/jvoisin/php-malware-finder/blob/master/php-malware-finder/php.yar)\nof [YARA](http://virustotal.github.io/yara/) rules. Yes, it's that simple!\n\nInstead of using a *hash-based* approach,\nPMF tries as much as possible to use semantic patterns, to detect things like\n\"a `$_GET` variable is decoded two times, unzipped,\nand then passed to some dangerous function like `system`\".\n\n## Installation\n\n### From source\n\n- Install Go \u003e= 1.17 (using your package manager, or [manually](https://go.dev/doc/install))\n- Install libyara \u003e= 4.2 (using your package manager, or [from source](https://yara.readthedocs.io/en/stable/gettingstarted.html))\n- Download php-malware-finder: `git clone https://github.com/jvoisin/php-malware-finder.git`\n- Build php-malware-finder: `cd php-malware-finder \u0026\u0026 make`\n\nor replace the last 2 steps with `go install github.com/jvoisin/php-malware-finder`,\nwhich will directly compile and install PMF in your `${GOROOT}/bin` folder.\n\n## How to use it?\n\n```\n$ ./php-malware-finder -h\nUsage:\n  php-malware-finder [OPTIONS] [Target]\n\nApplication Options:\n  -r, --rules-dir=      Alternative rules location (default: embedded rules)\n  -a, --show-all        Display all matched rules\n  -f, --fast            Enable YARA's fast mode\n  -R, --rate-limit=     Max. filesystem ops per second, 0 for no limit (default: 0)\n  -v, --verbose         Verbose mode\n  -w, --workers=        Number of workers to spawn for scanning (default: 32)\n  -L, --long-lines      Check long lines\n  -c, --exclude-common  Do not scan files with common extensions\n  -i, --exclude-imgs    Do not scan image files\n  -x, --exclude-ext=    Additional file extensions to exclude\n  -u, --update          Update rules\n  -V, --version         Show version number and exit\n\nHelp Options:\n  -h, --help            Show this help message\n```\n\nOr if you prefer to use `yara`:\n\n```\n$ yara -r ./data/php.yar /var/www\n```\n\nPlease keep in mind that you should use at least YARA 3.4 because we're using\n[hashes]( https://yara.readthedocs.org/en/latest/modules/hash.html ) for the\nwhitelist system, and greedy regexps. Please note that if you plan to build\nyara from sources, libssl-dev must be installed on your system in order to\nhave support for hashes.\n\nOh, and by the way, you can run the *comprehensive* testsuite with `make tests`.\n\n### Docker\n\nIf you want to avoid having to install Go and libyara, you can also use our\ndocker image and simply mount the folder you want to scan to the container's\n`/data` directory:\n\n```\n$ docker run --rm -v /folder/to/scan:/data ghcr.io/jvoisin/php-malware-finder\n```\n\n## Whitelisting\n\nCheck the [whitelist.yar](https://github.com/jvoisin/php-malware-finder/blob/master/php-malware-finder/whitelist.yar) file.\nIf you're lazy, you can generate whitelists for entire folders with the\n[generate_whitelist.py](https://github.com/jvoisin/php-malware-finder/blob/master/php-malware-finder/utils/generate_whitelist.py) script.\n\n## Why should I use it instead of something else?\n\nBecause:\n- It doesn't use [a single rule per sample](\n  https://github.com/Neo23x0/signature-base/blob/e264d66a8ea3be93db8482ab3d639a2ed3e9c949/yara/thor-webshells.yar\n  ), since it only cares about finding malicious patterns, not specific webshells\n- It has a [complete testsuite](https://github.com/jvoisin/php-malware-finder/actions), to avoid regressions\n- Its whitelist system doesn't rely on filenames\n- It doesn't rely on (slow) [entropy computation]( https://en.wikipedia.org/wiki/Entropy_(information_theory) )\n- It uses a ghetto-style static analysis, instead of relying on file hashes\n- Thanks to the aforementioned pseudo-static analysis, it works (especially) well on obfuscated files\n\n## Licensing\n\nPHP-malware-finder is\n[licensed](https://github.com/jvoisin/php-malware-finder/blob/master/php-malware-finder/LICENSE)\nunder the GNU Lesser General Public License v3.\n\nThe _amazing_ YARA project is licensed under the Apache v2.0 license.\n\nPatches, whitelists or samples are of course more than welcome.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjvoisin%2Fphp-malware-finder","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjvoisin%2Fphp-malware-finder","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjvoisin%2Fphp-malware-finder/lists"}