micahflee / php_backdoor_scanner

PHP Backdoor Scanner

This is a quick and dirty scanner I wrote to search a web server for traces of PHP backdoors or other malware, since they're so common, especially on sites that use open source content management systems like WordPress, Drupal, and Joomla. I wrote it php, but it's meant to be run on a cron job, not a web browser.

Edit the configuration section at the beginning of php_backdoor_scanner.php to configure it.

$config['target_dir'] is the root folder that gets scanned
$config['output_file'] is the name of the file that it outputs to
$config['false_positives_file'] is an optional file with a list of filenames that come up as suspicious but should be ignored by the scanner
$config['email'] is an optional email address that will get sent an email if any suspicious files are found

When you run the backdoor scanner, it recursively searches your target directory for php files. When it finds them, it searches them for a list of things that look suspiciously like they could be malware, like the "c99shell" or "eval(base64(". When it finds them, it saves their filenames to your output file, and at the end of the scan sends you an email.

You should run it as root if you're scanning files in several different user's home directories.

Also, beneath the configuration section of php_backdoor_scanner.php is an array of suspicious strings. Feel free to add your own strings to that list. But remember, the more vague the string, the more false positives you'll get.

Wishlist:
- instead of using an array of strings, use regex