Project-Pro/sbr-malwscan
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

initial: v0.1 MVP scaffold

Browse Source 
Phase A complete — CLI + 5 scanner modules + reporter:
- ftp-walker: basic-ftp + ssh2-sftp-client adapters with upload/download/walk
- core-diff: MD5 check vs api.wordpress.org checksums
- dropper-hunter: extension-blind PHP detection (catches .css/.svg/.tmp droppers)
- cloaker-test: dual-UA (Googlebot vs browser) with sitemap auto-discovery
- db-scanner: options, users, sessions, action-scheduler hooks
- remote-helper: server-side scan with base64-obfuscated patterns (WAF bypass)
- reporter: JSON + HTML + CLI output with severity-based exit codes

Inspired by sweetbabyroom.pl hack recovery — captures techniques that detected
a dropper Wordfence/custom scanners missed.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Jacek Pyziak
2026-04-17 19:18:32 +02:00
commit c4166d1cd4
19 changed files with 2872 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
docs/ROADMAP.md Normal file
View File

@@ -0,0 +1,41 @@
# sbr-malwscan roadmap
## v0.1 MVP (current)
**Phase A — Completed:**
- ✅ A1: Repo setup (Node.js + TypeScript, MIT)
- ✅ A2: FTP/SFTP walker + core-diff vs api.wordpress.org
- ✅ A3: Dropper hunter (extension-blind `<?php` scan, suspicious names/locations, anti-DELE perms)
- ✅ A4: Remote helper (base64-obfuscated patterns for WAF bypass, self-delete)
- ✅ A5: Cloaker tester (dual-UA Googlebot vs browser, hazard-term detection, sitemap discovery)
- ✅ A6: DB scanner (options, users, sessions, action-scheduler hooks)
- ✅ A7: Reporter (JSON + HTML + CLI TUI, exit codes 0/1/2)
**Still pending for v0.1 release:**
- Integration tests (fixture: mock WP install + known malware samples)
- `remediation` command (quarantine mode, safe rename to `.QUARANTINE-<ts>`)
- Publish to npm
## v0.2 Production-ready (planned)
- B1: Optional WP plugin (admin panel trigger, notices)
- B2: Signatures DB (separate repo, community PRs, GitHub Actions release)
- B3: GitHub Actions template for scheduled scans
- B4: Multi-CMS (Magento, PrestaShop, Laravel)
- B5: Docs site + video tutorial
## v0.3 Hardening (planned)
- C1: Auto-remediation with confirmation (quarantine core restore, DB cleanup)
- C2: Threat intel feed (abuse.ch, VirusTotal, AlienVault OTX)
- C3: Incremental scans + parallel FTP connections
## Origin story
Built from lessons learned during sweetbabyroom.pl hack recovery (Apr 2026). The attacker's dropper (`wp-includes/blocks/gallery/editor-styles.css` containing PHP) evaded:
- Wordfence free (scan died on shared hosting)
- Custom file scanner (extension-filtered to `.php/.js/.html` only)
- cyberFolks built-in AV (reactive, post-infection rename to `.VIRUS`)
Each scanner module directly addresses a technique the attacker used or a blind spot of existing tools.