Project-Pro/sbr-malwscan
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
sbr-malwscan/README.md
Jacek Pyziak c4166d1cd4 initial: v0.1 MVP scaffold 
Phase A complete — CLI + 5 scanner modules + reporter:
- ftp-walker: basic-ftp + ssh2-sftp-client adapters with upload/download/walk
- core-diff: MD5 check vs api.wordpress.org checksums
- dropper-hunter: extension-blind PHP detection (catches .css/.svg/.tmp droppers)
- cloaker-test: dual-UA (Googlebot vs browser) with sitemap auto-discovery
- db-scanner: options, users, sessions, action-scheduler hooks
- remote-helper: server-side scan with base64-obfuscated patterns (WAF bypass)
- reporter: JSON + HTML + CLI output with severity-based exit codes

Inspired by sweetbabyroom.pl hack recovery — captures techniques that detected
a dropper Wordfence/custom scanners missed.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-17 19:18:32 +02:00

2.1 KiB
Raw Permalink Blame History

sbr-malwscan

Malware persistence scanner for WordPress — detects droppers, cloakers, core file tampering, and database persistence that standard tools (Wordfence, Sucuri, MalCare) miss.

Why?

Built from lessons learned during a real WordPress hack recovery where:

  • Wordfence scan died mid-run on shared hosting (heartbeat timeout, process killer)
  • Custom file scanner missed the dropper because it filtered by extension (.php/.js/.html only) — the attacker hid PHP code inside a .css file
  • Payload cache used .tmp extension in wp-includes/blocks/gallery/ with base64-obfuscated header + plaintext PHP
  • Host WAF (ModSecurity) blocked uploading helper scripts containing literal malware signatures — workaround: base64-encoded patterns in external JSON

This scanner captures every detection technique that actually worked, in a reusable tool.

Features

  • Core integrity check — MD5 diff vs api.wordpress.org checksums for every core file
  • Dropper hunter — finds PHP code hidden in .css/.svg/.woff/.tmp/.dat files (extension-blind scan)
  • Cloaker detection — dual-UA fetch (Googlebot vs normal browser) to find SEO-spam cloakers
  • DB persistence scan — malicious hooks in wp_options/action_scheduler, suspicious users, session tokens
  • WAF-bypass helpers — base64-obfuscated signature patterns to get through ModSecurity
  • Safe-mode default — zero modifications unless --fix is explicitly passed
  • CI-friendly — JSON output, exit codes 0/1/2 for GitHub Actions scheduled scans

Install

npm install -g sbr-malwscan
# or
bun add -g sbr-malwscan

Quickstart

# Scan via FTP
sbr-malwscan scan --wp --target ftp://user:pass@host/public_html

# Cloaker test
sbr-malwscan cloaker --url https://example.com

# DB scan (requires SSH or wp-config)
sbr-malwscan db --wp-config /path/to/wp-config.php

# CI mode
sbr-malwscan scan --wp --target ftp://... --quiet --json > report.json

Project status

Active development — v0.1 MVP in progress.

See ROADMAP.md for detailed phase plan.

License

MIT © 2026 Jacek Pyziak

Reference in New Issue View Git Blame Copy Permalink