PHP Malicious Code Scanner
OS Commerce, WordPress, Joomla, Drupal, and custom built sites have all been hacked by the “wonderful” <?php @eval(base64_decode($_GET[q])); ?> hack. By slyly uploading a single php file to your server, these hackers gain the ability to push any code, view any source, and retrieve any data. And unfortunately, as hard as we try to prevent such hacks, as long as you use open source code, or for that manner any code, it’s more of a question of when, rather than if.
Thankfully, we as programmers have the ability to fight back, matching the hackers ingenius with innovative techniques of our own. One such way to do this is to use a PHP file in conjunction with a Cron Job to locate this malicious backdoor code. Enter PHP Malicious Code Scanner.
The PHP Malicious Code Scanner was designed specifically for the eval(base64_decode(‘…’)) hack, and quickly scans all files and subdirectories in its parent folder. If it doesn’t locate any malicious code, no worries. But if it does, it quickly sends an email detailing the specific file locations where the malicious, or just downright dangerous code is located.
Special thanks to Er. Rochak Chauhan (http://www.rochakchauhan.com/), as this was based on his idea.
Installing PHP Malicious Code Scanner
PHP Malicious Code Scanner can be installed on any server running PHP 5.
To install PHP Malicious Code Scanner:
- Download the source and place it in the folder you would like to scan (remember it will scan all subdirectories and files)
- Make sure you change youremail@example.com to your email
- Recommended: Setup a Cron Job to run the script automatically – Help
Bugs
- No known bugs at this time
Download:
Simple Way to Get Page Rendering Time In God We Trust
Can I run it on the live site or do I need to download the site first and then run the script on the local copy?
Do I HAVE to run it as a Cron job? Can we just run it?
What is the purpose of running it as a Cron job? Is it to run it daily or something?
Hey Randy,
The file can be uploaded to the live site and then either accessed directly or via a cron job (just for convenience). The reason for the cron job is that you can set it up to scan say weekly and then really forget about it. If something is detected it sends you an email, bringing it immediately to your attention.
This is especially helpful if you have multiple sites and may not be able to test them all, or may not want to have to manually test them all on a regular basis.
Keep in mind that I always recommend a backup before uploading new scripts as this one will read your files… but should not impact them in any way.
Thanks!
Thanks Mike !
I am glad that you like my code and it was of some use to someone
Appreciate it !!
Let me know if you face any issue or have some suggestion.
Regards,
Rochak Chauhan
Founder and Director,
Jumbo Labs Solutions (P) Limited
Hi,
Thanks for wonderful script. I got error when i browsed it through browser
Warning: in_array() [function.in-array]: Wrong datatype for second argument in /phpscan.php on line 37
I have updated the script on GitHub. Can you check that out and see if it works for you?
Hi Mike,
I love the idea of the script. However, when I run it, I get a php warning.
Warning: in_array() [function.in-array]: Wrong datatype for second argument in /home/eaglemar/public_html/cleanup4chris.php on line 37
Any ideas?
Thanks – I will take a look at this and get it fixed.
Joseph – I have updated the script on GitHub. Can you check that out and see if it works for you?
When I run it directly I get an error that says segmentation fault, what does that mean?
What OS are you using? In Ubuntu there is a bug that can cause this error. I would try making sure you have the latest version of PHP installed with all the patches.
Kind of a newbie here. How do I get it to scan, once I’ve put it in the folder?
You can either go to the file directly (ie: site.com/folder/file.php) or you can setup a cronjob to do it automatically
Well its dumb to assign untrusted users with input filters that allow them to input php code that can be run on the server. That is why people that use drupal should make sure they don’t use php filter unless they absolutely need it. Other than that if your solution requires sharing of source code there are plenty of options such as Google Code, GIT, SVN, etc. to make sure what the users are uploading cannot be executed on ur production server.
Many applications contain vulnerabilities that allow for users to upload files via back-doors in the code. This is most commonly done by spam-bots on applications such as WordPress and OSCommerce. The purpose of this application is not to prevent these leaks, but rather to help identify when a leak has been exploited. This script is designed to send a red flag notifying the developer that a malicious file has indeed been uploaded through a scripting backdoor and that it should be promptly dealt with, and the script should be reviewed to close any security gaps.
hello, with the file from GitHub I have this errors:
Warning: scandir(__DIR__) [function.scandir]: failed to open dir: No such file or directory in /home/…/public_html/malscan.php on line 35
Warning: scandir() [function.scandir]: (errno 2): No such file or directory in /home/…/public_html/malscan.php on line 35
Fatal error: Uncaught exception ‘Exception’ with message ‘Unable to scan directory __DIR__. Please make sure proper permissions have been set.’ in /home/…/public_html/malscan.php:38 Stack trace: #0 /home/…/public_html/malscan.php(28): phpMalCodeScan->scan(‘__DIR__’) #1 /home/…./public_html/malscan.php(76): phpMalCodeScan->__construct() #2 {main} thrown in /home/…./public_html/malscan.php on line 38
Hey Nico,
I’ve updated the script on GitHub to fix that issue and also fix some issues in PHP 5.4
Thanks,
Mike
Hi Mike,
I uploaded the php file to my server, but when i entered the url to run it, all i got was a blank screen. Nothing appeared. Not even when I tried to view page source.
Thanks,
Reid
Because the script is intended to be run as a cron I didn’t have it echo out any output. You can add
to the end of the script to ensure that it is running and has completed. Otherwise, be sure to check your PHP Error Logs to make sure there’s not an exception being thrown (as if you have errors turned off this can create the blank white page as well). Otherwise, if something is found it will be emailed to you, not outputted on the screen.
I run the script and after some waiting it comes back with Request Timeout. Is this working or just needs more time? I also extended the time-out to maximum with same result.
You can use the set_time_limit() function to fix this if you have a ton of files. To do this simply add:
right after the opening
tag. To learn more about set_time_limit() visit http://php.net/manual/en/function.set-time-limit.php
I have also uploaded this file but only white page display. please guide me
The script doesn’t have any output, so it’s possible everythings great, or it’s possible that there’s an exception being thrown if you have errors turned off. To get output, after
add
You can also check your PHP Error Log to see if there are any exceptions being thrown. Otherwise, basically the script will run, and if nothing is found it doesn’t do anything, but if it does find something it will send you a list via email.
how long does the script take to run on a typical sized joomla site? when i access the script directly all i get is a blank white page
Not really sure, not a big Joomla user.
What is the mechanism?
I don’t understand why your code have to be install in a live site.
and run as a corn job.
How can I trust you?
Hello,
I understand your concern. The reason it has to be installed on the live site and run as a cron is because hackers will be attacking your live site (assuming your dev/ test site is behind a firewall or on a private intranet).
So on the live site because that’s where they will most likely attack, and set as a cron so that the script is executed on a regular basis instead of requiring you to remember to manually utilize it to check for any breaches/ hacks (you can do it this way, just a cron will do this automatically and be a lot more convenient).
What the script does itself is very simple, it first accesses the file directory to get a list of folders and files. It views directories and files recursively to ensure that it is checking all of your files. It does this using a “read only” process, so it will NOT edit your files in any way. Once the file is opened it runs a simple regular expression check to see if it contains either an “eval()” or a “eval(base64…())” function. If it does it adds it to a list of files that MAY have been modified, and sends you an email with that list.
As far as how do you know you can trust me, well you really don’t. The source code is available on GitHub (see the link above) and you can see EXACTLY what the script does for yourself. If you’re not sure, get someone you TRUST who knows PHP and have them review the file prior to installation. Of course, there’s no promises or guarantees, but the purpose of the script is to help IDENTIFY sites that have been hacked so that malicious code can be removed BEFORE the site becomes an agent of the hacker.
Best of luck!
- Mike