OWASP Web Malware Scanner is a simple malware scanner for web applications. It can be used to identify compromised Wordpress, Joomla and other popular web application installations.
- python >= 2.7
git clone https://github.com/maxlabelle/WebMalwareScanner.git
To scan for compromised installations :
python wms.py /path/to/web/installations/
OWASP Web Malware Scanner uses a community-driven malware signature database to detect malwares. Signatures are found under the signatures/ folder. Each signature must be a text file, that contains the following JSON object:
{
"Database_Name": "Generic malware database",
"Database_Signatures": [
{
"Malware_Name": "Generic PHP Malware",
"Malware_Signatures": ["function.*for.*strlen.*isset"]
}
]
}
The 'Database_Signatures' object must be an array of objects that must contains the malware name (Malware_Name) and the signature's array of regular expressions (Malware_Signatures). If the content of a file matches one of these regular expression, it will be marked as infected.
The signatures for PHP files are in 'signatures/php/'. The signatures for Javascript files are in 'signatures/js/'.
OWASP Web Malware Scanner also performs md5 file checksums. MD5 file signatures are in 'signatures/checksum/'. A MD5 signature database must be a text file that contains the following JSON object:
{
"Database_Name": "Generic malware hash database",
"Database_Hash": [
{
"Malware_Name": "Zip.Trojan.Container",
"Malware_Hash": "e27122ba785627fca79b4a19c8eea38b"
}
]
}
The 'Database_Hash' object must be an array of objects that must contain the MD5 hash (Malware_Hash) and the Malware name (Malware_Name). If the MD5 checksum of a file matches one of these MD5 hashes, it will be marked as infected.
You are welcome to contribute to this project by adding new signatures to this database.
OWASP Web Malware Scanner is written by Maxime Labelle - [email protected]
OWASP Web Malware Scanner is released under the BSD license. See the LICENSE file for details.