Project-Pro/sbr-malwscan
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
sbr-malwscan/README.md
Jacek Pyziak c4166d1cd4 initial: v0.1 MVP scaffold 
Phase A complete — CLI + 5 scanner modules + reporter:
- ftp-walker: basic-ftp + ssh2-sftp-client adapters with upload/download/walk
- core-diff: MD5 check vs api.wordpress.org checksums
- dropper-hunter: extension-blind PHP detection (catches .css/.svg/.tmp droppers)
- cloaker-test: dual-UA (Googlebot vs browser) with sitemap auto-discovery
- db-scanner: options, users, sessions, action-scheduler hooks
- remote-helper: server-side scan with base64-obfuscated patterns (WAF bypass)
- reporter: JSON + HTML + CLI output with severity-based exit codes

Inspired by sweetbabyroom.pl hack recovery — captures techniques that detected
a dropper Wordfence/custom scanners missed.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-17 19:18:32 +02:00

59 lines
2.1 KiB
Markdown
Raw Permalink Blame History

# sbr-malwscan
Malware persistence scanner for WordPress — detects droppers, cloakers, core file tampering, and database persistence that standard tools (Wordfence, Sucuri, MalCare) miss.
## Why?
Built from lessons learned during a real WordPress hack recovery where:
- Wordfence scan died mid-run on shared hosting (heartbeat timeout, process killer)
- Custom file scanner missed the dropper because it filtered by extension (`.php/.js/.html` only) — the attacker hid PHP code inside a `.css` file
- Payload cache used `.tmp` extension in `wp-includes/blocks/gallery/` with base64-obfuscated header + plaintext PHP
- Host WAF (ModSecurity) blocked uploading helper scripts containing literal malware signatures — workaround: base64-encoded patterns in external JSON
This scanner captures every detection technique that actually worked, in a reusable tool.
## Features
- **Core integrity check** — MD5 diff vs api.wordpress.org checksums for every core file
- **Dropper hunter** — finds PHP code hidden in `.css/.svg/.woff/.tmp/.dat` files (extension-blind scan)
- **Cloaker detection** — dual-UA fetch (Googlebot vs normal browser) to find SEO-spam cloakers
- **DB persistence scan** — malicious hooks in `wp_options`/`action_scheduler`, suspicious users, session tokens
- **WAF-bypass helpers** — base64-obfuscated signature patterns to get through ModSecurity
- **Safe-mode default** — zero modifications unless `--fix` is explicitly passed
- **CI-friendly** — JSON output, exit codes 0/1/2 for GitHub Actions scheduled scans
## Install
```bash
npm install -g sbr-malwscan
# or
bun add -g sbr-malwscan
```
## Quickstart
```bash
# Scan via FTP
sbr-malwscan scan --wp --target ftp://user:pass@host/public_html
# Cloaker test
sbr-malwscan cloaker --url https://example.com
# DB scan (requires SSH or wp-config)
sbr-malwscan db --wp-config /path/to/wp-config.php
# CI mode
sbr-malwscan scan --wp --target ftp://... --quiet --json > report.json
```
## Project status
Active development — v0.1 MVP in progress.
See [ROADMAP.md](./docs/ROADMAP.md) for detailed phase plan.
## License
MIT © 2026 Jacek Pyziak
Reference in New Issue View Git Blame Copy Permalink