you are here

PHP Malicious Code Scanner

OS Commerce, WordPress, Joomla, Drupal, and custom built sites have all been hacked by the “wonderful” <?php @eval(base64_decode($_GET[q])); ?> hack.  By slyly uploading a single php file to your server, these hackers gain the ability to push any code, view any source, and retrieve any data.  And unfortunately, as hard as we try to prevent such hacks, as long as you use open source code, or for that manner any code, it’s more of a question of when, rather than if.

Thankfully, we as programmers have the ability to fight back, matching the hackers ingenius with innovative techniques of our own.  One such way to do this is to use a PHP file in conjunction with a Cron Job to locate this malicious backdoor code.  Enter PHP Malicious Code Scanner.

The PHP Malicious Code Scanner was designed specifically for the eval(base64_decode(‘…’)) hack, and quickly scans all files and subdirectories in its parent folder.  If it doesn’t locate any malicious code, no worries.  But if it does, it quickly sends an email detailing the specific file locations where the malicious, or just downright dangerous code is located.

Special thanks to Er. Rochak Chauhan (http://www.rochakchauhan.com/), as this was based on his idea.

Installing PHP Malicious Code Scanner

PHP Malicious Code Scanner can be installed on any server running PHP 5.

To install PHP Malicious Code Scanner:

  1. Download the source and place it in the folder you would like to scan (remember it will scan all subdirectories and files)
  2. Make sure you change [email protected] to your email
  3. Recommended: Setup a Cron Job to run the script automatically – Help


  • No known bugs at this time

Awards (Yay) – listed in the order received



Share this Page:
Facebook Twitter Linkedin Reddit Tumblr Email

84 Responses to “PHP Malicious Code Scanner”

  • Randy says:

    Can I run it on the live site or do I need to download the site first and then run the script on the local copy?

    Do I HAVE to run it as a Cron job? Can we just run it?

    What is the purpose of running it as a Cron job? Is it to run it daily or something?

    • mike says:

      Hey Randy,
      The file can be uploaded to the live site and then either accessed directly or via a cron job (just for convenience). The reason for the cron job is that you can set it up to scan say weekly and then really forget about it. If something is detected it sends you an email, bringing it immediately to your attention.

      This is especially helpful if you have multiple sites and may not be able to test them all, or may not want to have to manually test them all on a regular basis.

      Keep in mind that I always recommend a backup before uploading new scripts as this one will read your files… but should not impact them in any way.


  • Thanks Mike !

    I am glad that you like my code and it was of some use to someone :)

    Appreciate it !!

    Let me know if you face any issue or have some suggestion.

    Rochak Chauhan

    Founder and Director,
    Jumbo Labs Solutions (P) Limited

  • Riyaz says:


    Thanks for wonderful script. I got error when i browsed it through browser

    Warning: in_array() [function.in-array]: Wrong datatype for second argument in /phpscan.php on line 37

  • Joseph says:

    Hi Mike,
    I love the idea of the script. However, when I run it, I get a php warning.
    Warning: in_array() [function.in-array]: Wrong datatype for second argument in /home/eaglemar/public_html/cleanup4chris.php on line 37

    Any ideas?

  • Roderick says:

    When I run it directly I get an error that says segmentation fault, what does that mean?

    • mike says:

      What OS are you using? In Ubuntu there is a bug that can cause this error. I would try making sure you have the latest version of PHP installed with all the patches.

  • Montster says:

    Kind of a newbie here. How do I get it to scan, once I’ve put it in the folder?

    • mike says:

      You can either go to the file directly (ie: site.com/folder/file.php) or you can setup a cronjob to do it automatically

  • Asad says:

    Well its dumb to assign untrusted users with input filters that allow them to input php code that can be run on the server. That is why people that use drupal should make sure they don’t use php filter unless they absolutely need it. Other than that if your solution requires sharing of source code there are plenty of options such as Google Code, GIT, SVN, etc. to make sure what the users are uploading cannot be executed on ur production server.

    • mike says:

      Many applications contain vulnerabilities that allow for users to upload files via back-doors in the code. This is most commonly done by spam-bots on applications such as WordPress and OSCommerce. The purpose of this application is not to prevent these leaks, but rather to help identify when a leak has been exploited. This script is designed to send a red flag notifying the developer that a malicious file has indeed been uploaded through a scripting backdoor and that it should be promptly dealt with, and the script should be reviewed to close any security gaps.

  • Nico says:

    hello, with the file from GitHub I have this errors:

    Warning: scandir(__DIR__) [function.scandir]: failed to open dir: No such file or directory in /home/…/public_html/malscan.php on line 35

    Warning: scandir() [function.scandir]: (errno 2): No such file or directory in /home/…/public_html/malscan.php on line 35

    Fatal error: Uncaught exception ‘Exception’ with message ‘Unable to scan directory __DIR__. Please make sure proper permissions have been set.’ in /home/…/public_html/malscan.php:38 Stack trace: #0 /home/…/public_html/malscan.php(28): phpMalCodeScan->scan(‘__DIR__’) #1 /home/…./public_html/malscan.php(76): phpMalCodeScan->__construct() #2 {main} thrown in /home/…./public_html/malscan.php on line 38

  • Reid says:

    Hi Mike,
    I uploaded the php file to my server, but when i entered the url to run it, all i got was a blank screen. Nothing appeared. Not even when I tried to view page source.

    • mike says:

      Because the script is intended to be run as a cron I didn’t have it echo out any output. You can add

      echo ‘done’;

      to the end of the script to ensure that it is running and has completed. Otherwise, be sure to check your PHP Error Logs to make sure there’s not an exception being thrown (as if you have errors turned off this can create the blank white page as well). Otherwise, if something is found it will be emailed to you, not outputted on the screen.

  • Simon says:

    I run the script and after some waiting it comes back with Request Timeout. Is this working or just needs more time? I also extended the time-out to maximum with same result.

  • Arslan Qamar says:

    I have also uploaded this file but only white page display. please guide me

    • mike says:

      The script doesn’t have any output, so it’s possible everythings great, or it’s possible that there’s an exception being thrown if you have errors turned off. To get output, after

      new phpMalCodeScan;


      echo ‘Scan Complete’;

      You can also check your PHP Error Log to see if there are any exceptions being thrown. Otherwise, basically the script will run, and if nothing is found it doesn’t do anything, but if it does find something it will send you a list via email.

    • Paulo says:

      even using
      echo ‘Scan Complete’;
      I still have a blank page, waiting several minutes and all I have ais a blank page, no echo, no emails.

      What to do?

      • mike says:

        If the page is finished loading it has either successfully run, or a fatal error was thrown. You can test this by appending the text “Done” at the end of the script to give you a visual display, otherwise it is set to just return a blank page upon completion and only send an email IF malicious code snippets are found. So if your error log is clean, you should be all set!

        – Mike

  • julian kemp says:

    how long does the script take to run on a typical sized joomla site? when i access the script directly all i get is a blank white page

  • shouton says:

    What is the mechanism?

    I don’t understand why your code have to be install in a live site.
    and run as a corn job.

    How can I trust you?

    • mike says:

      I understand your concern. The reason it has to be installed on the live site and run as a cron is because hackers will be attacking your live site (assuming your dev/ test site is behind a firewall or on a private intranet).

      So on the live site because that’s where they will most likely attack, and set as a cron so that the script is executed on a regular basis instead of requiring you to remember to manually utilize it to check for any breaches/ hacks (you can do it this way, just a cron will do this automatically and be a lot more convenient).

      What the script does itself is very simple, it first accesses the file directory to get a list of folders and files. It views directories and files recursively to ensure that it is checking all of your files. It does this using a “read only” process, so it will NOT edit your files in any way. Once the file is opened it runs a simple regular expression check to see if it contains either an “eval()” or a “eval(base64…())” function. If it does it adds it to a list of files that MAY have been modified, and sends you an email with that list.

      As far as how do you know you can trust me, well you really don’t. The source code is available on GitHub (see the link above) and you can see EXACTLY what the script does for yourself. If you’re not sure, get someone you TRUST who knows PHP and have them review the file prior to installation. Of course, there’s no promises or guarantees, but the purpose of the script is to help IDENTIFY sites that have been hacked so that malicious code can be removed BEFORE the site becomes an agent of the hacker.

      Best of luck!

      – Mike

  • HM Soeharto says:

    Hi Mike,

    Can I use your code on localhost (XAMPP) and how to use it?

    • mike says:

      Yes you can :) Just add it to your base directory, update the email address, and then browse to the script on your localhost to run it. You could also setup a cron job or a scheduled Windows batch file to have the process automated… however if you’re doing it on your localhost chances are you will just want to run the script prior to deploying (unless your localhost is publicly available)

  • John Haywood says:

    I’m using a modified version of this Class to supplement some other file scanning I’m doing (nice work by the way!).
    For anyone that is interested, I’m using it on a bespoke CMS that contains around 4000+ files and the time it takes to scan them is less than 2 seconds.
    I did find I could speed things up a little by removing some none directories up front because scandir() will count ‘.’ and ‘..’ as directories so in the scan function I added an extra line in the foreach loop

    foreach($files as $file) {
    if ($file != ‘.’ && $file != ‘..’) {
  • Eduardo says:

    Hi… somehow I cannot get php to mail me anything. How can I modify the script so instead of mailing anyone it put results on screen?


    • mike says:

      Hey Eduardo,
      The easiest way would to replace line 66:

      mail(SEND_EMAIL_ALERTS_TO,'Malicious Code Found!',$message,'FROM:');


      echo $message;

      That will output it on the screen instead of mailing it :)

  • Tim Liton says:

    Sir am getting those errors:

    Warning: file_get_contents(/home/hostingclerks2/public_html/allinclusive.io/.ftpquota): failed to open stream: Permission denied in /home/hostingclerks2/public_html/clean-malware.php on line 43

    Warning: file_get_contents(/home/hostingclerks2/public_html/budget-domains.net/.ftpquota): failed to open stream: Permission denied in /home/hostingclerks2/public_html/clean-malware.php on line 43

    Warning: file_get_contents(/home/hostingclerks2/public_html/h2o3.org/.ftpquota): failed to open stream: Permission denied in /home/hostingclerks2/public_html/clean-malware.php on line 43

    Warning: file_get_contents(/home/hostingclerks2/public_html/selectall.net/.ftpquota): failed to open stream: Permission denied in /home/hostingclerks2/public_html/clean-malware.php on line 43

    Warning: file_get_contents(/home/hostingclerks2/public_html/smarty/.ftpquota): failed to open stream: Permission denied in /home/hostingclerks2/public_html/clean-malware.php on line 43

    Fatal error: Maximum execution time of 30 seconds exceeded in /home/hostingclerks2/public_html/clean-malware.php on line 42

    • mike says:

      Hey Tim,
      You’re getting two different errors, the first is a timeout error (at the very bottom) which can be corrected by updating the time limit directive in the php.ini or utilizing the set_time_limit() function – http://php.net/manual/en/function.set-time-limit.php

      The second error is caused because you do not have permission to open .ftpquota – you may want to add some code to skip this file – if you email me (see Contact page) I can help you add that code if you’d like.

      Those two fixes should take care of the errors you’re seeing now.

      Best of luck!
      – Mike

  • Hey Mike,

    Thanks for the file, hopefully it will work out for us where some nasties are lurking!

    I am a complete newbie on this but have tried to run the cron job in the following manner, it just throws me back a copy of the whole file;

    /usr/bin/php -q /home/our-username/public_html/phpMalCodeScanner.php

    Am I doing something wrong? This was what I was told to place by my hosts.

    Hope you can help cause I think we might be infected after a DDoS attack a couple of weeks back.

    Cheers, Chris

    • mike says:

      That should work… I’m not sure why it would be outputting the code of the file- if you go to the url in your browser does it work?

      Another option might be utilizing a CURL request to open the file on the server instead of trying to run it in the shell.

      But unless someone else see’s something that I’m missing, it should be working!

    • Hey Mike,

      Thanks for getting back to me.

      I apologise for the way I have to place this but here is the text I get back on the email.

      Malicious-Code-Scanner/phpMalCodeScanner.php at master · mikestowe/Malicious-Code-Scanner · GitHub

      Skip to content

      Sign up
      Sign in

      This repository












      Pull Requests



      HTTPS clone URL

      Subversion checkout URL

      You can clone with
      or Subversion.

      Clone in Desktop

      Download ZIP



      Switch branches/tags




      Nothing to show

      Nothing to show

      Malicious-Code-Scanner / phpMalCodeScanner.php

      Apr 24, 2014

      Unlimited memory


      Users who have contributed to this file



      82 lines (56 sloc)

      2.026 kb




      Plugin Name: php Malicious Code Scanner

      Plugin URI: http://www.mikestowe.com/phpmalcode

      Description: The php Malicious Code Scanner checks all files for one of the most common malicious code attacks, the eval( base64_decode() ) attack…

      Version: 1.3 alpha

      Author: Michael Stowe

      Author URI: http://www.mikestowe.com

      Credits: Based on the idea of Er. Rochak Chauhan (http://www.rochakchauhan.com/), rewritten for use with a cron job

      License: GPL-2


      // Set to your email:

      define('SEND_EMAIL_ALERTS_TO','[email protected]');

      ############################################ START CLASS

      class phpMalCodeScan {

      public $infected_files = array();

      private $scanned_files = array();

      function __construct() {




      function scan($dir) {

      $this->scanned_files[] = $dir;

      $files = scandir($dir);

      if(!is_array($files)) {

      throw new Exception('Unable to scan directory ' . $dir . '. Please make sure proper permissions have been set.');


      foreach($files as $file) {

      if(is_file($dir.'/'.$file) && !in_array($dir.'/'.$file,$this->scanned_files)) {


      } elseif(is_dir($dir.'/'.$file) && substr($file,0,1) != '.') {





      function check($contents,$file) {

      $this->scanned_files[] = $file;

      if(preg_match('/eval\(base64/i',$contents) || preg_match('/eval\($_/i',$contents)) {

      $this->infected_files[] = $file;



      function sendalert() {

      if(count($this->infected_files) != 0) {

      $message = "== MALICIOUS CODE FOUND == \n\n";

      $message .= "The following files appear to be infected: \n";

      foreach($this->infected_files as $inf) {

      $message .= " – $inf \n";


      mail(SEND_EMAIL_ALERTS_TO,'Malicious Code Found!',$message,'FROM:');




      ############################################ INITIATE CLASS

      ini_set('memory_limit', '-1'); ## Avoid memory errors (i.e in foreachloop)

      new phpMalCodeScan;


      Jump to Line



      © 2014 GitHub, Inc.

      Something went wrong with that request. Please try again.

      Is it supposed to come out like this?

      Thanks, Chris

  • Ha ha ha … i feel like an idiot!

    Thanks so much Mike. Keep up the great work :)

  • Marco says:

    Hi Mike,

    I tried to run the script on my remote server, but it gave me a 500 error.

    Instead, on my local WAMP enviroment, it went fine, (except for the timeout I corrected as you indicated).

    The apache error log has:

    [Fri Dec 19 17:06:50.195791 2014] [:error] [pid 351:tid 2853158299392] (104)Connection reset by peer: [client] FastCGI: failed to read from backend server

    Can you please help?

  • Joko says:

    Thank you guys! This script looks great and has helped me to remove a lot of infections.

  • Hemant says:

    Hi Mike
    i am getting the following error.
    Allowed memory size of 134217728 bytes exhausted (tried to allocate 397384057 bytes)
    how do i get around this. please help.


    • mike says:

      Looks like you’re using a TON of memory to run the script – just out of curiosity, where did you place the script on your server and how many files do you have that you’re trying to scan? In the meantime, I’ll take a look and see if I can find a way to cut down on memory usage…

  • Andy says:

    I copied the code into a new php file in Dreamweaver – when saving before uploading does the file need to be saved as a certain file name or can i add my own, sorry for my thickness!

    • mike says:

      You can save it with whatever file name you’d like, as long as the extension is mapped to a mimeType with PHP as its underlying application. To be safe, I recommend the standard “.php” extension :)

  • Edib R. says:


    I just installed your code you suggested in above post reply (https://raw.githubusercontent.com/mikestowe/Malicious-Code-Scanner/master/phpMalCodeScanner.php ).
    I Put it into my public_html folder to scan all my files (is that right?) as I am pretty sure my wp theme is infected and also I changed my email to send results as you suggested.

    But how do I exactly run a scanner to see it in action?

    Thanks a lot for help

    • mike says:

      Once it’s there and you’ve updated your email in the script, just browse to it and it will start running. You can add some text at the end of the script so that you know it’s done, but otherwise if it finds something it will send you an email, and if not it won’t. You can also setup a cronjob to have it run on a regular cadence. If you need help with this just let me know.


  • chris says:

    I added /changed this on line 67

    } else {
    echo ‘nothing found…’;

    So that if it’s clean, it will echo this to the page. if you don’t see this it’s still running.

    Awesome work though my friend. I’ve also played with what it searches for.. seems to work OK.

  • Hi,
    I’ve modified your script to be used more effectively via the command line and cron and figured I would share it if you want to add it to your git repo. Not sure how well code tags work in this form, so email me if this doesn’t format well :)

    * Original Author:
    * Plugin Name: php Malicious Code Scanner
    * Plugin URI: http://www.mikestowe.com/phpmalcode
    * Description: The php Malicious Code Scanner checks all files for one of the most common malicious code attacks, the eval( base64_decode() ) attack…
    * Version: 1.3 alpha
    * Author: Michael Stowe
    * Author URI: http://www.mikestowe.com
    * Credits: Based on the idea of Er. Rochak Chauhan (http://www.rochakchauhan.com/), rewritten for use with a cron job
    * License: GPL-2
    * New Author (for command line version):
    * Modified for command line usage with options.
    * LogZilla: Network Management Software Company
    * <meta name="author" content='Clayton Dukes ‘>
    * Changelog:
    * 2015-05-01 – created
    * Usage (note: assumes file is executable – chmod 755 )
    * [options]
    * Example:
    * /usr/local/bin/malscan.php -v -e [email protected]
    * An example cron entry, checks each day at 2:02am:
    * This will run the script quietly and only send email when malicious code is found
    * 2 2 * * * /usr/local/bin/malscan.php
    $time_start = microtime(true);

    $usage = “Scans all subdirectories for malicious base64 encode entries from hackers\n\n” .
    “Usage: ” . $argv[0] . ” [options]\n” .
    ” -h show help (this message)\n” .
    ” -v[erbose] display verbose messages while running\n” .
    ” -d[ebug] display extra debug messages while running\n” .
    ” -p[ath] Optional: Specify the starting path (defaults to current directory)\n” .
    ” -e[email] Who to send the report to when Malicious code is found (optional, default is [email protected])\n”;

    $options = getopt(“hvde:p:”);
    $email = isset($options[“e”])?$options[“e”]:”[email protected]”;
    $verbose = isset($options[“v”])?true:false;
    $debug = isset($options[“d”])?true:false;
    if ($verbose) echo “[” .date(“Y-m-d H:i:s”) . “] Running ” .$argv[0] . “\n”;
    $path = isset($options[“p”])?$options[“p”]:”.”; #default to current dir
    if (isset($options[‘h’]) && die($usage));
    if (isset($options[‘d’]) && $email) echo “Email will be sent to $email if any malicious code is found\n”;

    // Set file extensions to ignore
    $ignoreExt = array(“log”, “txt”, “bak”, “rar”, “zip”, “mp3”, “mp4”, “mp3”, “mov”, “flv”, “wmv”, “swf”, “png”, “gif”, “jpg”, “bmp”, “avi”);
    $ignore = implode(‘|’, $ignoreExt);

    ############################################ START CLASS

    class phpMalCodeScan {

    public $infected_files = array();
    private $scanned_files = array();

    function __construct() {
    global $path;

    function scan($dir) {
    $this->scanned_files[] = $dir;
    $files = scandir($dir);

    if(!is_array($files)) {
    throw new Exception(‘Unable to scan directory ‘ . $dir . ‘. Please make sure proper permissions have been set.’);

    foreach($files as $file) {
    global $ignore;
    if(!preg_match(‘/^.*\.(‘.$ignore.’)$/i’, $file)) {
    if(is_file($dir.’/’.$file) && !in_array($dir.’/’.$file,$this->scanned_files)) {
    } elseif(is_dir($dir.’/’.$file) && substr($file,0,1) != ‘.’) {

    function check($contents,$file) {
    global $debug;
    if ($debug) echo “Checking $file\n”;
    $this->scanned_files[] = $file;
    if(preg_match(‘/eval\((base64|eval|\$_|\$\$|\$[A-Za-z_0-9\{]*(\(|\{|\[))/i’,$contents)) {
    $this->infected_files[] = $file;

    function sendalert() {
    global $email, $verbose;
    if(count($this->infected_files) != 0) {
    $message = “== MALICIOUS CODE FOUND == \n\n”;
    $message .= “The following files appear to be infected: \n”;
    foreach($this->infected_files as $inf) {
    $message .= ” – $inf \n”;
    mail($email,’Malicious Code Found!’,$message,’FROM:’);
    } else {
    if ($verbose) echo “No malicious files found\n”;

    # Call the call to run everything
    ini_set(‘memory_limit’, ‘-1’); ## Avoid memory errors (i.e in foreachloop)
    new phpMalCodeScan;
    $time_end = microtime(true);
    //dividing with 60 will give the execution time in minutes other wise seconds
    $execution_time = ($time_end – $time_start);
    if ($verbose) echo “[” .date(“Y-m-d H:i:s”) . “] Script completed in “.round($execution_time, 2).” seconds\n”;

  • Bob says:

    First of all CONGRATS on this great tool simplyfying such a time consuming job to scan all my files modification dates etc.
    I had found a malicious file


    prior to installing your script and I run your script from directory


    and it didnt find it (it did run and it did find some other genuinly malicious files). The file has 644. Could the dodgy (hidden) filename affect your scan. Yes it starts with a period (dot) .diff.php not diff.php.

    • mike says:

      Yes, unfortunately if the script does not have access to open a file it is unable to scan it. Let me try playing with the way it reads files to see if we can open the file without needing more permissions than necessary.

  • Bob says:

    Just to clarify and confusion from my previous post. The script DOES check hidden files too. In my case the keyword we were looking for was not present and so it didnt look malicious. Modified the script a bit to catch these files too and I can now continue.

  • Brandon says:

    Looking forward to using this. Desperately need a solution. Narrowed the vulnerability down to scripts on one of our sites…

    Sick of paying GoDaddy 150 each time this happens.

  • Rod says:

    That script don´t work on recents Malicious PHP Code like:

    Need to be updated to detect codes like this…

  • Chris Daria says:

    Hi Mike,
    Tried to run your code using XAMPP to check offline files of our site but it returned the error
    “Fatal error: Maximum execution time of 30 seconds exceeded in C:\xampp\htdocs\resilien\Malicious-Code-Scanner.php on line 37”
    Pls. advise what to do.
    Thank you in advance.

  • Jadin says:

    Hi Mike,

    I’m not sure if anyone else has asked or if you have already answered this, but could i make a couple changes, as a client would like the email and i would just like to make it a little more detailed and formal.

    Appreciate the code, and have to say well done on it’s simplicity.
    Thank you.

  • Jo says:

    Hi Mike,

    My site is definately infected as I got an email from my hosting provider.
    I uploaded your script here: http://pyramisaegypt.com/phpMalCodeScanner.php

    it runs OK as it gets to the message scan complete, but I don’t get any emails. What could be the reason?

    Thank you.

    • mike says:

      It’s possible that there’s an email issue, or that the attack isn’t one recognized by the script.

      Adding the following code right before the mail(…):


      If you’re not seeing anything, the script is unfortunately not finding the attack your hosting company alerted you to :(

  • Dave Teu says:

    there seems to be some malware it’s not detecting even though it’s using the eval, where can i send u the malicious codes so you can take a look?

  • JB Benjamin says:

    Do you have a more up-to-date version of this script available?


    Hi Mike!

    Thank you so much. It’s really helped me. After running this code I found the malware. Thanks again.

  • Constant warning message, what to do?

    file_get_contents(/home/condomsh/public_html/mychannelpartners.com/payus.php): failed to open stream: Permission denied in /home/condomsh/public_html/mychannelpartners.com/phpMalCodeScanner.php on line 43

    • mike says:

      This is most likely do to server permissions or ownership set on the file. If the file has special permission settings the script will be unable to open it (ie read it) and you’ll get that error.

    • J says:

      One could add a Permission Check before opening the file for reading. Then either skipping non-readable files or temporarily changing the file permissions to readable and resetting to previous permissions after reading.

    • J says:

      Adding is_readable() in line 42 would also do the trick:
      if(is_file($dir.’/’.$file) && !in_array($dir.’/’.$file,$this->scanned_files) && is_readable($dir.’/’.$file)) {

  • dejan says:

    Hello mike! Thanks for the script, it saves time alot!

    script have found 2 files that says: The following files appear to be infected

    i will send u email if u can check them is there is infected code.


  • Nick says:

    How can i exclude certain directories or filetypes? (It seems to be having some trouble with a *.pl file and I’d just like it to avoid the cgi directory.)

    Thanks in advance! Lovely code.

  • Gary says:

    This file helped me find a few infections. However, it also is labeling a file that belongs to the plugin jetpack as infected when in fact, it is now. I completely removed the plugin and reinstalled it, I checked and the folder for the plugin was removed when I uninstalled it. And I installed it from the wordpress plugin add new feature. The file it keeps finding is wp-content/plugins/jetpack/modules/custom-css/custom-css/preprocessors/scss.inc.php

  • Zaid says:

    I’m getting this error
    Warning: scandir \directory Access is denied. (code: 5) in \directory\phpMalCodeScanner.php on line 35

    Warning: scandir\directory failed to open dir: No such file or directory in \directory\phpMalCodeScanner.php on line 35

    Warning: scandir(): (errno 2): No such file or directory in \directory\phpMalCodeScanner.php on line 35

    Fatal error: Uncaught exception ‘Exception’ with message ‘Unable to scan directory\directory. Please make sure proper permissions have been set.’ in \directory\phpMalCodeScanner.php:38 Stack trace: #0 \directory\phpMalCodeScanner.php(28): phpMalCodeScan->scan(‘E:\HostingSpace…’) #1 \directory\phpMalCodeScanner.php(78): phpMalCodeScan->__construct() #2 {main} thrown in \directory\phpMalCodeScanner.php on line 38

  • bluedevil678 says:

    I would like to take a moment and thank you for this!

  • Manu says:

    What a great script. Thanks a lot!

  • Hi there,
    trying to use your code on my site but not sure why it won’t run.
    Am i doing something wrong ?

    Thanks for your advice


  • VideoPortal says:

    Please be aware that NO automated security scanner will be able to detect all vulnerabilities in the code base. The best way to protect your code is to learn about how to write secure software, and do diligent code reviews.

    • mike says:

      Absolutely 100% agree. Security needs to be done in layers, taking advantage of best practices, and numerous protection systems. The scanner can help identify SOME malicious code attacks, but is in no way a guarantee or a way to PREVENT these attacks in the first place.

  • Nathalie says:

    Hi, many thanks for this scanner: WF Security and Sucuri didn’t find infected files, but this one found fast! I’ve got an alert about 3 files. 2 of them weren’t modified (compared them with an originals) , but 3d one was my enemy.

    Once again, thanks a lot

  • JoAn Guevara says:

    Great tool. Thanks for sharing.

Leave a Reply

Your email address will not be published. Required fields are marked *