OWASP Web Malware Scanner is a simple malware scanner for applications. It can be used to identify compromised Wordpress, Joomla and other popular web application installations.
- python >= 2.7
git clone https://github.com/alperunal92/MalwareScanner.gitTo scan for compromised installations :
python ms.py /path/to/web/installations/OWASP Web Malware Scanner uses a community-driven malware signature database to detect malwares. Signatures are found under the signatures/ folder. Each signature must be a text file, that contains the following JSON object:
{
"Database_Name": "Generic malware database",
"Database_Signatures": [
{
"Malware_Name": "Generic PHP Malware",
"Malware_Signatures": ["function.*for.*strlen.*isset"]
}
]
}
The 'Database_Signatures' object must be an array of objects that must contains the malware name (Malware_Name) and the signature's array of regular expressions (Malware_Signatures). If the content of a file matches one of these regular expression, it will be marked as infected.
The signatures for PHP files are in 'signatures/php/'. The signatures for Javascript files are in 'signatures/js/'.
OWASP Web Malware Scanner also performs md5 file checksums. MD5 file signatures are in 'signatures/checksum/'. A MD5 signature database must be a text file that contains the following JSON object:
{
"Database_Name": "Generic malware hash database",
"Database_Hash": [
{
"Malware_Name": "Zip.Trojan.Container",
"Malware_Hash": "e27122ba785627fca79b4a19c8eea38b"
}
]
}
The 'Database_Hash' object must be an array of objects that must contain the MD5 hash (Malware_Hash) and the Malware name (Malware_Name). If the MD5 checksum of a file matches one of these MD5 hashes, it will be marked as infected.
You are welcome to contribute to this project by adding new signatures to this database.