sbr-malwscan/helpers/remote-scan.php

<?php
/**
 * sbr-malwscan remote helper.
 * Uploaded to WP root, executes server-side scan, returns JSON, self-deletes.
 *
 * Protection:
 *  - Token-based auth via GET param
 *  - Signatures loaded from separate base64-encoded JSON (WAF bypass)
 *  - Self-deletes on shutdown
 *  - Only scans if token valid
 */
register_shutdown_function(function () {
    @unlink(__FILE__);
});

$token = $_GET['t'] ?? '';
$expected_token = '__TOKEN_PLACEHOLDER__';
if ($token === '' || $token !== $expected_token) {
    http_response_code(403);
    exit;
}

@set_time_limit(300);
@ini_set('memory_limit', '256M');

$root = dirname(__FILE__);
$patterns_file = $root . '/sbr-patterns.json';
$patterns = [];
if (file_exists($patterns_file)) {
    $raw = @file_get_contents($patterns_file);
    $data = @json_decode($raw, true);
    if (is_array($data) && isset($data['patterns'])) {
        foreach ($data['patterns'] as $p) {
            if (isset($p['b64'], $p['id'], $p['severity'])) {
                $patterns[] = [
                    'id' => $p['id'],
                    'severity' => $p['severity'],
                    'needle' => base64_decode($p['b64']),
                ];
            }
        }
    }
    @unlink($patterns_file);
}

$findings = [];
$files_scanned = 0;
$bytes_scanned = 0;

$dir_iter = new RecursiveIteratorIterator(
    new RecursiveDirectoryIterator($root, RecursiveDirectoryIterator::SKIP_DOTS),
    RecursiveIteratorIterator::LEAVES_ONLY
);

$exclude_dirs = ['/wp-content/cache/', '/wp-content/uploads/', '/wp-content/updraft/', '/node_modules/'];
$scan_extensions = ['php', 'phtml', 'phar', 'css', 'js', 'svg', 'woff', 'woff2', 'tmp', 'dat', 'html'];

foreach ($dir_iter as $file) {
    if (!$file->isFile()) continue;
    $path = $file->getPathname();
    $rel = str_replace('\\', '/', substr($path, strlen($root)));
    foreach ($exclude_dirs as $ex) {
        if (strpos($rel, $ex) !== false) continue 2;
    }
    $ext = strtolower($file->getExtension());
    if (!in_array($ext, $scan_extensions, true)) continue;
    $size = $file->getSize();
    if ($size > 5 * 1024 * 1024) continue;
    if ($size === 0) continue;

    $files_scanned++;
    $bytes_scanned += $size;

    $content = @file_get_contents($path);
    if ($content === false) continue;

    $head = substr($content, 0, 256);
    $php_extensions = ['php', 'phtml', 'phar'];

    // H1: non-PHP extension starting with <?php
    if (!in_array($ext, $php_extensions, true)) {
        $trimmed = ltrim($head);
        if (strpos($trimmed, '<?php') === 0 || strpos($trimmed, '<?=') === 0) {
            $findings[] = [
                'path' => $rel,
                'severity' => 'critical',
                'reason' => 'PHP shebang in .' . $ext . ' file',
                'size' => $size,
                'mtime' => $file->getMTime(),
            ];
            continue;
        }
    }

    // H2: pattern match
    foreach ($patterns as $pat) {
        if ($pat['needle'] !== '' && stripos($content, $pat['needle']) !== false) {
            $findings[] = [
                'path' => $rel,
                'severity' => $pat['severity'],
                'reason' => 'Matched signature: ' . $pat['id'],
                'size' => $size,
                'mtime' => $file->getMTime(),
            ];
            break;
        }
    }
}

header('Content-Type: application/json');
echo json_encode([
    'files_scanned' => $files_scanned,
    'bytes_scanned' => $bytes_scanned,
    'findings' => $findings,
    'wp_version' => file_exists($root . '/wp-includes/version.php') ? (function () use ($root) {
        $c = @file_get_contents($root . '/wp-includes/version.php');
        return preg_match('/\$wp_version\s*=\s*[\'"]([^\'"]+)/', $c, $m) ? $m[1] : 'unknown';
    })() : 'not-a-wp',
]);