initial: v0.1 MVP scaffold
Phase A complete — CLI + 5 scanner modules + reporter: - ftp-walker: basic-ftp + ssh2-sftp-client adapters with upload/download/walk - core-diff: MD5 check vs api.wordpress.org checksums - dropper-hunter: extension-blind PHP detection (catches .css/.svg/.tmp droppers) - cloaker-test: dual-UA (Googlebot vs browser) with sitemap auto-discovery - db-scanner: options, users, sessions, action-scheduler hooks - remote-helper: server-side scan with base64-obfuscated patterns (WAF bypass) - reporter: JSON + HTML + CLI output with severity-based exit codes Inspired by sweetbabyroom.pl hack recovery — captures techniques that detected a dropper Wordfence/custom scanners missed. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
58
README.md
Normal file
58
README.md
Normal file
@@ -0,0 +1,58 @@
|
||||
# sbr-malwscan
|
||||
|
||||
Malware persistence scanner for WordPress — detects droppers, cloakers, core file tampering, and database persistence that standard tools (Wordfence, Sucuri, MalCare) miss.
|
||||
|
||||
## Why?
|
||||
|
||||
Built from lessons learned during a real WordPress hack recovery where:
|
||||
|
||||
- Wordfence scan died mid-run on shared hosting (heartbeat timeout, process killer)
|
||||
- Custom file scanner missed the dropper because it filtered by extension (`.php/.js/.html` only) — the attacker hid PHP code inside a `.css` file
|
||||
- Payload cache used `.tmp` extension in `wp-includes/blocks/gallery/` with base64-obfuscated header + plaintext PHP
|
||||
- Host WAF (ModSecurity) blocked uploading helper scripts containing literal malware signatures — workaround: base64-encoded patterns in external JSON
|
||||
|
||||
This scanner captures every detection technique that actually worked, in a reusable tool.
|
||||
|
||||
## Features
|
||||
|
||||
- **Core integrity check** — MD5 diff vs api.wordpress.org checksums for every core file
|
||||
- **Dropper hunter** — finds PHP code hidden in `.css/.svg/.woff/.tmp/.dat` files (extension-blind scan)
|
||||
- **Cloaker detection** — dual-UA fetch (Googlebot vs normal browser) to find SEO-spam cloakers
|
||||
- **DB persistence scan** — malicious hooks in `wp_options`/`action_scheduler`, suspicious users, session tokens
|
||||
- **WAF-bypass helpers** — base64-obfuscated signature patterns to get through ModSecurity
|
||||
- **Safe-mode default** — zero modifications unless `--fix` is explicitly passed
|
||||
- **CI-friendly** — JSON output, exit codes 0/1/2 for GitHub Actions scheduled scans
|
||||
|
||||
## Install
|
||||
|
||||
```bash
|
||||
npm install -g sbr-malwscan
|
||||
# or
|
||||
bun add -g sbr-malwscan
|
||||
```
|
||||
|
||||
## Quickstart
|
||||
|
||||
```bash
|
||||
# Scan via FTP
|
||||
sbr-malwscan scan --wp --target ftp://user:pass@host/public_html
|
||||
|
||||
# Cloaker test
|
||||
sbr-malwscan cloaker --url https://example.com
|
||||
|
||||
# DB scan (requires SSH or wp-config)
|
||||
sbr-malwscan db --wp-config /path/to/wp-config.php
|
||||
|
||||
# CI mode
|
||||
sbr-malwscan scan --wp --target ftp://... --quiet --json > report.json
|
||||
```
|
||||
|
||||
## Project status
|
||||
|
||||
Active development — v0.1 MVP in progress.
|
||||
|
||||
See [ROADMAP.md](./docs/ROADMAP.md) for detailed phase plan.
|
||||
|
||||
## License
|
||||
|
||||
MIT © 2026 Jacek Pyziak
|
||||
Reference in New Issue
Block a user