PHP Malware Finder

Logo NBS System
Logo NBS System
PHP Malware Finder

PHP Malware Finder is an IT security tool to detect malicious code on a website or a web application written in PHP. This open source scanner is developed by our experts and reports backdoors that hackers might have installed on your web servers. PHP Malware Finder is installed by default for our clients who use the high-security hosting solution CerberHost.

Malware detection: why use PHP Malware Finder?

The term “malware” does not require much explanation as it is used commonly. In reality, this term has a very broad meaning that includes viruses, worms, and Trojans as well as many other computer threats. The latter, unlike most viruses, do not necessarily have a direct impact on the machines they infect and are much more difficult to identify.

These threats can be considered backdoors. Specifically, these are files that contain malicious code or pieces of malicious code installed on a computer after clicking on a suspicious link or hidden by a hacker on a web server after gaining access to it.

Backdoors’ usefulness and objectives are as varied as a hacker’s imagination! These can include:

  • Extracting or stealing data
  • Using your machine’s resources to send spam or perform DDoS attacks
  • Hosting illegal content on your server accessible via hidden URLs
  • And much more!

PHP Malware Finder locates these pieces of malicious code on your servers so you can remove them and make your machines clean again. Careful, the tool is easy to circumvent, but its goal is to minimise the risks by addressing some of the simplest threats, which are often the most used during opportunistic attacks!

PHP Malware Finder: NBS System’s open source expertise

Malware prevention: how to use PHP Malware Finder

You can get this open source tool on the PHP Malware Finder GitHub page. It installs on your server. Ask your host or developers for advice so they can help you install it!

When should you use PHP Malware Finder?

Beyond the initial test, we recommend performing regular scans on your web servers, not just after a compromise.

This precaution may seem paranoid to some, but it is far from negligible. Indeed, as IBM shared in its latest “Cost of Data Breach” report, it takes an average of 191 days to discover that you have been compromised. This means that some backdoors can remain installed for more than 6 months before being located.

Bring this average down by regularly checking the status of your websites and web applications as well as your information systems! Of course, it’s important to strike a balance between your production requirements and the need to secure your platforms. Don’t neglect this last assignment, though. We recommend you automate it as much as possible!

How does PHP Malware Finder work?

PHP Malware Finder is a malware scanner based on the Yara open source project, and we would like to give the team our warmest thanks. Yara allows you to locate and classify various malware according to specific character strings.

PHP Malware Finder is simple: it scans the content of your server’s files looking for clues to malicious behaviour.

Malware protection: finding and flagging malicious files

These clues found by the PHP Malware Finder software can be of several types:

  • The presence of many functions considered suspicious
  • Bits of code that match known malware
  • Hacker signatures, like a pseudonym, for example
  • URLs pointing to password-breaking help sites
  • And much more!

Sometimes, some files are obfuscated, that is, they are made unreadable to slow down their analysis by automated tools. Our experts are a step ahead: PHP Malware Finder locates the obfuscation patterns often used in malware and can identify these malicious files.

For each file studied, the tool checks whether it contains one or more significant clues of malicious behaviour. If it does find one, it marks the file as illegitimate. Of course, these lists are regularly updated to include new types of threats and maintain protection even against the most recent cyber-attacks.

Avoiding false positives when detecting malware

With this type of automated tool, there is a risk that a file may be considered as malicious due to its content when, in reality, it is fine. PHP Malware Finder covers this risk with an additional whitelist system.

Our IT security experts have scanned many platforms, frameworks and CMSes to identify the legitimate files they contain. They have listed them in hash format (a unique fingerprint that drastically changes if the smallest piece of data contained in the file is changed) in a whitelist.

Each time a malicious file is identified by PHP Malware Finder, it is converted into hash format and compared to the whitelist. If its hash is not in the list of authorised files, it is flagged to your server administrator as malicious. The administrator can then try to understand how this file got there, delete it, and improve your server’s protection if necessary!

Are you interested in PHP Malware Finder, or are you looking to protect your business against cyber-threats?

Contact our team!