# sbr-malwscan

Malware persistence scanner for WordPress — detects droppers, cloakers, core file tampering, and database persistence that standard tools (Wordfence, Sucuri, MalCare) miss.

## Why?

Built from lessons learned during a real WordPress hack recovery where:

- Wordfence scan died mid-run on shared hosting (heartbeat timeout, process killer)
- Custom file scanner missed the dropper because it filtered by extension (`.php/.js/.html` only) — the attacker hid PHP code inside a `.css` file
- Payload cache used `.tmp` extension in `wp-includes/blocks/gallery/` with base64-obfuscated header + plaintext PHP
- Host WAF (ModSecurity) blocked uploading helper scripts containing literal malware signatures — workaround: base64-encoded patterns in external JSON

This scanner captures every detection technique that actually worked, in a reusable tool.

## Features

- **Core integrity check** — MD5 diff vs api.wordpress.org checksums for every core file
- **Dropper hunter** — finds PHP code hidden in `.css/.svg/.woff/.tmp/.dat` files (extension-blind scan)
- **Cloaker detection** — dual-UA fetch (Googlebot vs normal browser) to find SEO-spam cloakers
- **DB persistence scan** — malicious hooks in `wp_options`/`action_scheduler`, suspicious users, session tokens
- **WAF-bypass helpers** — base64-obfuscated signature patterns to get through ModSecurity
- **Safe-mode default** — zero modifications unless `--fix` is explicitly passed
- **CI-friendly** — JSON output, exit codes 0/1/2 for GitHub Actions scheduled scans

## Install

```bash
npm install -g sbr-malwscan
# or
bun add -g sbr-malwscan
```

## Quickstart

```bash
# Scan via FTP
sbr-malwscan scan --wp --target ftp://user:pass@host/public_html

# Cloaker test
sbr-malwscan cloaker --url https://example.com

# DB scan (requires SSH or wp-config)
sbr-malwscan db --wp-config /path/to/wp-config.php

# CI mode
sbr-malwscan scan --wp --target ftp://... --quiet --json > report.json
```

## Project status

Active development — v0.1 MVP in progress.

See [ROADMAP.md](./docs/ROADMAP.md) for detailed phase plan.

## License

MIT © 2026 Jacek Pyziak