Project-Pro/sbr-malwscan
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

initial: v0.1 MVP scaffold

Browse Source 
Phase A complete — CLI + 5 scanner modules + reporter:
- ftp-walker: basic-ftp + ssh2-sftp-client adapters with upload/download/walk
- core-diff: MD5 check vs api.wordpress.org checksums
- dropper-hunter: extension-blind PHP detection (catches .css/.svg/.tmp droppers)
- cloaker-test: dual-UA (Googlebot vs browser) with sitemap auto-discovery
- db-scanner: options, users, sessions, action-scheduler hooks
- remote-helper: server-side scan with base64-obfuscated patterns (WAF bypass)
- reporter: JSON + HTML + CLI output with severity-based exit codes

Inspired by sweetbabyroom.pl hack recovery — captures techniques that detected
a dropper Wordfence/custom scanners missed.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Jacek Pyziak
2026-04-17 19:18:32 +02:00
commit c4166d1cd4
19 changed files with 2872 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
patterns/signatures.json Normal file
View File

@@ -0,0 +1,22 @@
{
"version": "0.1.0",
"updated": "2026-04-17",
"note": "Patterns are base64-encoded to bypass host WAF (ModSecurity) blocking PHP uploads with literal malware signatures. Helper decodes at runtime.",
"patterns": [
{ "id": "eval-b64", "severity": "critical", "b64": "ZXZhbChiYXNlNjRfZGVjb2RlKA==" },
{ "id": "eval-gz", "severity": "critical", "b64": "ZXZhbChnemluZmxhdGUo" },
{ "id": "eval-rot13", "severity": "critical", "b64": "ZXZhbChzdHJfcm90MTMo" },
{ "id": "assert-var", "severity": "critical", "b64": "YXNzZXJ0KCRf" },
{ "id": "preg-replace-e", "severity": "critical", "b64": "cHJlZ19yZXBsYWNlKC8uKiovZSI=" },
{ "id": "create-fn", "severity": "high", "b64": "Y3JlYXRlX2Z1bmN0aW9uKA==" },
{ "id": "system-var", "severity": "high", "b64": "c3lzdGVtKCRf" },
{ "id": "exec-var", "severity": "high", "b64": "ZXhlYygkXw==" },
{ "id": "passthru-var", "severity": "high", "b64": "cGFzc3RocnUoJF8=" },
{ "id": "shell-exec-var", "severity": "high", "b64": "c2hlbGxfZXhlYygkXw==" },
{ "id": "proc-open-var", "severity": "high", "b64": "cHJvY19vcGVuKCRf" },
{ "id": "file-put-contents-req", "severity": "medium", "b64": "ZmlsZV9wdXRfY29udGVudHMoJF9SRVFVRVNU" },
{ "id": "dynamic-var-exec", "severity": "high", "b64": "JHskXw==" },
{ "id": "goto-obfuscation", "severity": "medium", "b64": "Z290byA=" },
{ "id": "unicode-escape", "severity": "medium", "b64": "XHgw" }
]
}