Project-Pro/sbr-malwscan
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
sbr-malwscan/docs/ROADMAP.md
Jacek Pyziak c4166d1cd4 initial: v0.1 MVP scaffold 
Phase A complete — CLI + 5 scanner modules + reporter:
- ftp-walker: basic-ftp + ssh2-sftp-client adapters with upload/download/walk
- core-diff: MD5 check vs api.wordpress.org checksums
- dropper-hunter: extension-blind PHP detection (catches .css/.svg/.tmp droppers)
- cloaker-test: dual-UA (Googlebot vs browser) with sitemap auto-discovery
- db-scanner: options, users, sessions, action-scheduler hooks
- remote-helper: server-side scan with base64-obfuscated patterns (WAF bypass)
- reporter: JSON + HTML + CLI output with severity-based exit codes

Inspired by sweetbabyroom.pl hack recovery — captures techniques that detected
a dropper Wordfence/custom scanners missed.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-17 19:18:32 +02:00

1.8 KiB
Raw Permalink Blame History

sbr-malwscan roadmap

v0.1 MVP (current)

Phase A — Completed:

  • A1: Repo setup (Node.js + TypeScript, MIT)
  • A2: FTP/SFTP walker + core-diff vs api.wordpress.org
  • A3: Dropper hunter (extension-blind <?php scan, suspicious names/locations, anti-DELE perms)
  • A4: Remote helper (base64-obfuscated patterns for WAF bypass, self-delete)
  • A5: Cloaker tester (dual-UA Googlebot vs browser, hazard-term detection, sitemap discovery)
  • A6: DB scanner (options, users, sessions, action-scheduler hooks)
  • A7: Reporter (JSON + HTML + CLI TUI, exit codes 0/1/2)

Still pending for v0.1 release:

  • Integration tests (fixture: mock WP install + known malware samples)
  • remediation command (quarantine mode, safe rename to .QUARANTINE-<ts>)
  • Publish to npm

v0.2 Production-ready (planned)

  • B1: Optional WP plugin (admin panel trigger, notices)
  • B2: Signatures DB (separate repo, community PRs, GitHub Actions release)
  • B3: GitHub Actions template for scheduled scans
  • B4: Multi-CMS (Magento, PrestaShop, Laravel)
  • B5: Docs site + video tutorial

v0.3 Hardening (planned)

  • C1: Auto-remediation with confirmation (quarantine core restore, DB cleanup)
  • C2: Threat intel feed (abuse.ch, VirusTotal, AlienVault OTX)
  • C3: Incremental scans + parallel FTP connections

Origin story

Built from lessons learned during sweetbabyroom.pl hack recovery (Apr 2026). The attacker's dropper (wp-includes/blocks/gallery/editor-styles.css containing PHP) evaded:

  • Wordfence free (scan died on shared hosting)
  • Custom file scanner (extension-filtered to .php/.js/.html only)
  • cyberFolks built-in AV (reactive, post-infection rename to .VIRUS)

Each scanner module directly addresses a technique the attacker used or a blind spot of existing tools.

Reference in New Issue View Git Blame Copy Permalink