Top PHP Security and Malware Scanners

Hope you will are not coming to this page the day you are hit by a malware ! Because the day you discover that your server is compromised by a malware is horrible ! From where should you start, how to stop the malware, did I loose my data ? etc… Calm down, that day could happen to anyone, so better get ready, because if it’s not one of your code, it could be one of your wordpress installations, or a plugin, or a just theme that you install it but you didn’t even use it. So hope we’ll be back to these issues very soon, but for today let’s have a look on available malware scanners for PHP.

Security scanners and Malware scanners are two different things, as security scanners are usually static code scanners that scan your code for known security issues such as unused code, unprotected databases, SQL injections, etc. While the Malware scanners looks for malware that could be hidden somewhere in your website, usually malware come from piece of software that you downloaded from an unknown location, or a random github account.

Notice that we are not talking about the best tools, but the top tools that are used by lots of companies. Many new tools free open source or commercial are also available today for developers at competitive prices. We’ll be back on these tools with more details very soon, so let’s go to the list :

RIPS : Security Testing for PHP, Java and NodeJs

RIPS is a leading solution in static security scanning available for PHP, Java and NodeJs or JavaScript. The company was acquired this year by SonarSource, he company behind the popular developer products SonarQube, SonarCloud and SonarLint. Rips can help you find vulnerabilities in your code missed by others for example in your WordPress or BitBucket. With meaningful and very accurate results, as the false positive rate was measured to be only 1-2%.

The solution is quite fast as it can scan the whole Magento code base 2.2 million code lines in only 20 minute. Best of all, it deploy recommended code patches automatically so you can focus on developing secure applications. Rips is a commercial software and unfortunately after acquisition we are still waiting to see the product integrated with SonarSource suite of products.

SonarPHP, SonarQube and SonarLint for PHP

SonarSource delivers what is probably the best static code analysis you can find for PHP. Based on our own PHP compiler front-end, it uses the most advanced techniques (pattern matching, dataflow analysis) to analyze code and find Code Smells, Bugs, and Security Vulnerabilities. As with everything we develop at SonarSource, it was built on the principles of depth, accuracy and speed.

SonarSource’s PHP analysis has a great coverage of well-established quality standards. This capability is available in Eclipse and IntelliJ for developers (SonarLint) as well as throughout the development chain for automated code review with self-hosted SonarQube or cloud-based SonarCloud.

SonarSource’s PHP analysis supports all the standard metrics implemented by SonarQube including Cognitive Complexity. Additionally, it supports the import of Clover XML test coverage reports. The solution supports custom rules written in Java. But definitely the acquisition of Rips will make it one of the best security scanners for PHP.

Notice that SonarPHP is free and open source (available in github) and is available as part of SonarSource community edition. SonarQube is the qutomatic code review tool to detect bugs, code smells and vulnerability issues; easy to integrate with DevOps toolchains. It includes SonarPHP for the PHP language among many others. SonarLint is the IDE extension for real-time code quality feedback, it assists developers to deliver cleaner code as they work.

SonarSource prices for the commercial edition starts from €120 for the developer edition, €15k the enterprise and €100k the Data Center edition.

Exakat, real time static analyzer engine for PHP

Exakat is another static analysis tool which is available as community and commercial edition. Exakat provides for each issue or flaw detected a deep documentation to fix the issue surch as: code localisation, compulsary explaination, remedation approach and codes exemples. Exakat provides metrics in order to gain deeper understanding of PHP Application in the aera of Quality, Coding Standards, Bugs fixing, Security, Code Smells, Performance and Documentation needs. They provide already more than 30 reports out of the box.

Exakat detect different kind of issues such as :

• Bug : code that lead clearly to a wrong behavior of your application
• Code Smells : code that is complex to maintain : duplicate code, dead code
• Security : code that creates vunerabilities : SQL injection, hardcoded password
• Quality : code that lead to technical debt : lack of standardisation, norm violation, inconsistencies across Team

Each application has specific security guidelines so on rule for all doesn’t fit to everyone. Define with Exakat, your own Security rules to Write more secure code based on a sensible pattern led by your development Team. Exakat execute easily analysis from all popular CI/CD providers : Github, Gitlab, BitBucket, Jenkins, CircleCI and Travis. It analyse Pull Request, Branches or each Commit depending of your workflow and Branch Strategy. Exakat let you to be notify directly in your favorite CI/CD tool. Exakat pricing start from €10 / month the cloud edition for public and private projects limited to 1M PHP LoCs with 500+ rules.

PHP Malware Finder

 _______  __   __  _______
|  ___  ||  |_|  ||       |
| |   | ||       ||    ___|
| |___| ||       ||   |___   Webshell finder,
|    ___||       ||    ___|   kiddies hunter,
|   |    | ||_|| ||   |		website cleaner.
|___|    |_|   |_||___|

Detect potentially malicious PHP files.

Now let’s go back to malware detection as previous tools may not detect any one of them. PHP Malware finder does its very best to detect obfuscated/dodgy code as well as files using PHP functions often used in malwares/webshells. The following list of encoders/obfuscators/webshells are detected:

• Best PHP Obfuscator
• Carbylamine
• Cipher Design
• Cyklodev
• Joes Web Tools Obfuscator
• P.A.S
• PHP Jiami
• Php Obfuscator Encode
• SpinObf
• Weevely3
• atomiku
• cobra obfuscator
• phpencode
• tennc
• web-malware-collection
• webtoolsvn
• novahot
• nano

PMF Detection is performed by crawling the filesystem and testing files against a set of YARA rules. Yes, it’s that simple! Instead of using an hash-based approach, PMF tries as much as possible to use semantic patterns, to detect things like “a $_GET variable is decoded two times, unzipped, and then passed to some dangerous function like system“.

To install it you need to get Yara first, then clone the PMF repository. PMF is really a great tool that could save your life in the dark days, released under GPL v3 license, YARA is available under Apache 2.0 license.

Get PHP Malware Finder from github repository https://github.com/nbs-system/php-malware-finder/

AMWSCAN, PHP Antimalware Scanner

AMWSCAN is free tool written in php, that can scan PHP files and analyze your project for find malicious code inside it. It provides a text terminal console interface to scan files in a given directory and find PHP code files the seem to contain malicious code. The package can also scan the PHP files without outputting anything to the terminal console. In that case the results are stored in a log file. This scanner can work on your own php projects and on a lot of others platform. Use this command php -d disable_functions for run the program without issues.

AMWSCAN provides different scanning mode,

• the aggressive by default without any options, which search for all functions/exploits on lists and all malware signatures without restrictions
• –agile : Search for some specific exploits on lists with some restrictions and all malware signatures (on WordPress and others platform could find more malware and more false positive)
• –only-signatures : Search for all malware signatures (could be perfect for WordPress and others platform for have less false positive)
• –only-exploits : Search for exploits on lists
• –only-functions : Search for all functions on lists (on some obfuscated code can’t be detected)

AMWSCAN is free open source software released under GPLv3.0 license. More information at https://github.com/marcocesarato/PHP-Antimalware-Scanner

PHP Malware Detector

Last in the list is also the less updated and maintained is the PHP Malware Detector, we listed here for reference even if it wasn’t update since two years. PHP Malware Detector provides Web and console mode, it uses 16 regular expressions to detect suspicious code. Released under an MIT license. More information at https://github.com/ollyxar/php-malware-detector