{"id":13519187,"url":"https://github.com/scr34m/php-malware-scanner","last_synced_at":"2026-01-13T22:50:45.820Z","repository":{"id":40257388,"uuid":"58106874","full_name":"scr34m/php-malware-scanner","owner":"scr34m","description":"Scans PHP files for malwares and known threats","archived":false,"fork":false,"pushed_at":"2025-06-09T18:28:45.000Z","size":20638,"stargazers_count":591,"open_issues_count":1,"forks_count":101,"subscribers_count":40,"default_branch":"master","last_synced_at":"2025-10-20T06:06:29.770Z","etag":null,"topics":["command-line-tool","malware","php","scanner"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/scr34m.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-05-05T05:34:58.000Z","updated_at":"2025-10-13T04:10:15.000Z","dependencies_parsed_at":"2024-11-02T01:31:09.797Z","dependency_job_id":"6e37147b-f710-4e5b-a1d1-24f30ee7fba2","html_url":"https://github.com/scr34m/php-malware-scanner","commit_stats":{"total_commits":184,"total_committers":12,"mean_commits":"15.333333333333334","dds":0.5380434782608696,"last_synced_commit":"aec0f56af537febca012871adcc86e347080f881"},"previous_names":[],"tags_count":28,"template":false,"template_full_name":null,"purl":"pkg:github/scr34m/php-malware-scanner","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scr34m%2Fphp-malware-scanner","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scr34m%2Fphp-malware-scanner/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scr34m%2Fphp-malware-scanner/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scr34m%2Fphp-malware-scanner/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/scr34m","download_url":"https://codeload.github.com/scr34m/php-malware-scanner/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scr34m%2Fphp-malware-scanner/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28402159,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-13T14:36:09.778Z","status":"ssl_error","status_checked_at":"2026-01-13T14:35:19.697Z","response_time":56,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["command-line-tool","malware","php","scanner"],"created_at":"2024-08-01T05:01:55.270Z","updated_at":"2026-01-13T22:50:45.783Z","avatar_url":"https://github.com/scr34m.png","language":"PHP","funding_links":[],"categories":["PHP"],"sub_categories":[],"readme":"PHP malware scanner\n===================\n\nTraversing directories for files with php extensions and testing files against text or regexp rules, the rules based on self gathered samples and publicly available malwares/webshells.\nThe goal is to find infected files and fight against kiddies, because to easy to bypass rules.\n\nHow to install?\n---\n\nSimply clone the repository or with composer install globally `composer global require scr34m/php-malware-scanner`.\n\nHow to use?\n-----------\n\n```\nUsage: php scan.php -d \u003cdirectory\u003e\n    -h                   --help               Show this help message\n    -d \u003cdirectory\u003e       --directory          Directory for searching\n    -e \u003cfile extension\u003e  --extension          File Extension to Scan\n    -E                   --scan-everything    Scan all files, with or without extensions\n    -i \u003cdirectory|file\u003e  --ignore             Directory of file to ignore\n    -a                   --all-output         Enables --checksum,--comment,--pattern,--time\n    -b                   --base64             Scan for base64 encoded PHP keywords\n    -m                   --checksum           Display MD5 Hash/Checksum of file\n    -c                   --comment            Display comments for matched patterns\n    -x                   --extra-check        Adds GoogleBot and htaccess to Scan List\n    -l                   --follow-symlink     Follow symlinked directories\n    -k                   --hide-ok            Hide results with 'OK' status\n    -r                   --hide-err           Hide results with 'ER' status\n    -w                   --hide-whitelist     Hide results with 'WL' status\n    -n                   --no-color           Disable color mode\n    -s                   --no-stop            Continue scanning file after first hit\n    -p                   --pattern            Show Patterns next to the file name\n    -t                   --time               Show time of last file change\n    -L                   --line-number        Display matching pattern line number in file\n    -o                   --output-format      Custom defined output format\n    -j \u003cversion\u003e         --wordpress-version  Version of wordpress to get md5 signatures\n                         --combined-whitelist Combined whitelist\n                         --custom-whitelist   Loads whitelist from specified file and merge with existing\n                         --disable-stats      Disable statistics output\n```\n\nIgnore argument could be used multiple times and accept glob style matching ex.: \"`cache*`\", \"`??-cache.php`\" or \"`/cache`\" etc.\n\nExtension argument defaults to \"`.php`\" and also can be used multiple times too.\n\n* `--base64` is an alternative scan mode which ignores the main pattern files and uses a large list of php keywords and functions that have been converted to base64.  Slower and prone to false positives, but gives additional base64 scanning coverage.  These pattern files are located in base64_patterns and were derived from php 7 keywords and functions.  Not many PHP extensions are included.\n* `--comment` flag will display the last comment to appear in the pattern file before the matched pattern, so documenting the pattern files is important.\n\nOutput formatting\n-----------------\n\nDefault output depending on the specified parameters, but the full format is \"%S %T %M # {%F} %C %P # %L\" and using ANSI coloring too.\n\nPossible variables are:\n\n* `%S` - matching indicator, possible values are OK, ER, WL\n* `%T` - file change time\n* `%M` - file md5 hash value\n* `%F` - file with path\n* `%P` - pattern\n* `%C` - pattern comment\n* `%L` - matching pattern line number\n\nPatterns\n--------\n\nThere are three main pattern files the cover different types of pattern matching.  There is one pattern per line.  All lines where the very first character is a \"`#`\" is considered a comment and not used as a pattern.  Whitespace in the pattern files is not used.\n\n* `patterns_raw.txt` - Raw string matching\n* `patterns-iraw.txt` - Case insensitive raw string matching\n* `patterns-re.txt`- Regular expression matching.\n\nWhitelisting\n------------\n\nSee [whitelist.txt](https://github.com/scr34m/php-malware-scanner/blob/master/whitelist.txt) file for a predefined MD5 hash list. Only the first 32 characters are used, rest of the line ignored so feel free to leave a comment.\n\nWordpress md5 sum whitelisting\n-------------\nYou can automatically add md5sum from wordpress core files by specifing version as argument to --wordpress-version or -j. \nExample:\n```\nscan -d . -j 4.9.2\n```\nThat will automatically get md5sums from wordpress api (https://api.wordpress.org/core/checksums/1.0/?version=x.x.x) and add it to whitelist. To check your version simply check wp-includes/version.php file of your wordpress\n\nCombined whitelist\n---\n\nThis list is a pre generated database for opensource projects more information at https://scr34m.github.io/php-malware-scanner/ site.\nThe scanner check for database hash validity and only download if it is different and of course when argument used.\n\nTools\n-----\n\n**text2base64.py**\n\nTakes a plaintext string as input and returns 3 base64 string equivalents.\nPython script that needs to be executed from the terminal to be used.\n\nIt is worth noting that the presence of one of the three output strings in a block of text does not 100% guarantee that the string was\npresent in the original code.  It is guaranteed that IF the subject string was present in the original code, then one of the three\noutput strings will be present in the base64 version.\n\n```\n$ python tools/text2base64.py 'base64_decode'  \nYmFzZTY0X2RlY29kZ  \nJhc2U2NF9kZWNvZG  \niYXNlNjRfZGVjb2Rl\n```  \n  \nAn example: The presence of 'YmFzZTY0X2RlY29kZ' does not guarantee that 'base64_decode' is in the plain text code.   \nIt is guaranteed that IF 'base64_decode' was present in the plain text code, then one of these three base64 strings WILL be present.\nThe presence of 'YmFzZTY0X2RlY29kZ' in a block of code may be because 'ase64_decod' was in the original code.  \note the missing edge characters which is due to bit misalignment and character bleed.\n\nUsing as library\n----------------\n\nThe scan.php perform a check, that it's called by commandline or not, so to use as library use different directory than scan.php it self.\n \n```php\n\u003c?php\n\nrequire_once '../scan.php';\n\n$scan = new MalwareScanner();\n$scan-\u003esetFlagHideWhitelist(true);\n$scan-\u003esetFlagHideOk(true);\n$scan-\u003erun('../samples/test');\n```\n\nResources\n---------\n\n* [PHPScanner](https://github.com/PHPScannr/phpFUS)\n* [PMF - PHP Malware Finder](https://github.com/nbs-system/php-malware-finder)\n* [check regexp online](http://www.phpliveregex.com)\n* [malware samples 1](https://github.com/nbs-system/php-malware-finder/tree/master/php-malware-finder/samples)\n* [malware samples 2](https://github.com/r4v/php-exploits)\n* [malware samples 3](https://github.com/nikicat/web-malware-collection)\n* [malware samples 4](https://github.com/antimalware/manul/tree/master/src/scanner/static/signatures)\n\nLicensing\n---------\n\nPHP malware scanner is [licensed](https://github.com/scr34m/php-malware-scanner/blob/master/LICENSE.txt) under the GNU General Public License v3.\n\nDocker Usage\n-----------\n\nYou can also run the scanner using Docker:\n\n1. Build the image:\n```bash\ndocker build -t php-malware-scanner .\n```\n\n2. Scan a directory:\n```bash\ndocker run -v /path/to/scan:/code php-malware-scanner -d /code\n```\n\nFor example, to scan a WordPress installation:\n```bash\ndocker run -v /var/www/html:/code php-malware-scanner -d /code -j 6.4.1\n```\n\nCommon usage with flags:\n```bash\n# Show only infected files (hide OK status)\ndocker run -v /path/to/scan:/code php-malware-scanner -d /code -k\n\n# Show comments for matched patterns\ndocker run -v /path/to/scan:/code php-malware-scanner -d /code -c\n\n# Show MD5 hashes and continue after first match\ndocker run -v /path/to/scan:/code php-malware-scanner -d /code -m -s\n```\n\nThe `/code` directory inside the container is where your files will be mounted for scanning.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fscr34m%2Fphp-malware-scanner","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fscr34m%2Fphp-malware-scanner","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fscr34m%2Fphp-malware-scanner/lists"}