PHP Antimalware Scanner for WordPress

Last Revised: October 2, 2021

One of the biggest concerns of WordPress users is to have an attack and that goes unnoticed, mainly by downloading a theme or plugin that may have some vulnerability or downloads of improper sites.

Although there are plugins that do it, they are still another opportunity and security problem, so we will use an external tool to help us analyze the possibility of encountering undue files.

AMWScan (PHP Antimalware Scanner) is a tool written in PHP and that analyzes PHP code, so it comes perfect when analyzing WordPress. In addition, it has an integration when it detects WordPress that performs some extra tasks, such as the checksum of plugins and themes in the official repository.

This tutorial has been created on a Clouding.io VPS. You can create your own VPS from 3€/month.

In addition, you have the possibility to create your VPS with the WordPress image in one click.

PARTNERSHIP

• Requirements
• Installation and configuration
• Analysis
• Finding malicious content
• About this document

Requirements

• WordPress

Installation and configuration

To make it easier to use, we will install and configure PHP Antimalware Scanner so that it can be used as a command anywhere on the system

First we download the main file

wget https://raw.githubusercontent.com/marcocesarato/PHP-Antimalware-Scanner/master/dist/scanner --no-check-certificate -O /usr/bin/awscan.phar

We will create the executable system

vim /usr/bin/awscan

and we will include the following content

#!/bin/bash
php /usr/bin/awscan.phar $@

Once we have the file, we will give it permissions and configure it for future execution.

chmod u+x,g+x /usr/bin/awscan.phar
chmod u+x,g+x /usr/bin/awscan
export PATH=$PATH":/usr/bin"

Analysis

Right now, we can launch it to test that it works. We will do a complete analysis, although it allows some configurations:

• -e: only looks for exploits
• -l: reduced analysis

In any case, the recommendation is to first launch an analysis without parameters, to review everything. We can go to the folder where we have the WordPress or run it indicating where it is.

awscan /webs/example.com/

This will return us, in the case of a WordPress, something like this:

         █████╗ ███╗   ███╗██╗    ██╗███████╗ ██████╗ █████╗ ███╗   ██╗
        ██╔══██╗████╗ ████║██║    ██║██╔════╝██╔════╝██╔══██╗████╗  ██║
        ███████║██╔████╔██║██║ █╗ ██║███████╗██║     ███████║██╔██╗ ██║
        ██╔══██║██║╚██╔╝██║██║███╗██║╚════██║██║     ██╔══██║██║╚██╗██║
        ██║  ██║██║ ╚═╝ ██║╚███╔███╔╝███████║╚██████╗██║  ██║██║ ╚████║
        ╚═╝  ╚═╝╚═╝     ╚═╝ ╚══╝╚══╝ ╚══════╝ ╚═════╝╚═╝  ╚═╝╚═╝  ╚═══╝
        Github: https://github.com/marcocesarato/PHP-Antimalware-Scanner

                               version 0.7.5.177

                            PHP Antimalware Scanner
                           Created by Marco Cesarato

Start scanning...
Scan date: 07-01-2021 09:22:35
Scanning /webs/example.com

Mapping and retrieving checksums, please wait...

Found WordPress 5.6 (en_US) at "/webs/example.com"
Found WordPress Plugin Akismet Anti-Spam 4.1.8
Found WordPress Plugin Gutenberg 9.7.0
Found WordPress Plugin Health Check & Troubleshooting 1.4.5
Found WordPress Plugin Jetpack by WordPress.com 9.2.1
Found WordPress Plugin Two Factor 0.7.0
Found WordPress Plugin Wordfence Security 7.4.14
Retrieving checksums of WordPress Plugin Health Check & Troubleshooting 1.4.5
Retrieving checksums of WordPress Plugin Jetpack by WordPress.com 9.2.1
Retrieving checksums of WordPress Plugin Two Factor 0.7.0
Retrieving checksums of WordPress Plugin Wordfence Security 7.4.14

Verifying files checksum...

[===============================] 100%  2385/2385 [10 sec/0 sec]

Found 51 files to check

Checking files...

[=============================> ] 98%  50/51 [11 sec/0 sec]]

Scan finished!

                                    SUMMARY

Files scanned: 51
Files edited: 0
Files quarantined: 0
Files whitelisted: 0
Files ignored: 0

Malware detected: 0
Malware removed: 0

Finding malicious content

In the event that you find malicious content, the analysis will return some extra data to us. first it will indicate which file is the one that has the problem, then a preview of its content and what functions or lines could be the one that gives the problems.

With this a series of options of what we want to do:

[1] Delete file
[2] Move to quarantine
[3] Dry run evil code fixer
[4] Dry run evil line code fixer
[5] Open with vim
[6] Open with nano
[7] Add to whitelist
[8] Show source
[-] Ignore

The system has integrated some possibilities to correct the problem, although in this case it is best to analyze and know what is failing, if it is really a problem or not.

An example of the outcome that a possible backdoor would give is this.

         █████╗ ███╗   ███╗██╗    ██╗███████╗ ██████╗ █████╗ ███╗   ██╗
        ██╔══██╗████╗ ████║██║    ██║██╔════╝██╔════╝██╔══██╗████╗  ██║
        ███████║██╔████╔██║██║ █╗ ██║███████╗██║     ███████║██╔██╗ ██║
        ██╔══██║██║╚██╔╝██║██║███╗██║╚════██║██║     ██╔══██║██║╚██╗██║
        ██║  ██║██║ ╚═╝ ██║╚███╔███╔╝███████║╚██████╗██║  ██║██║ ╚████║
        ╚═╝  ╚═╝╚═╝     ╚═╝ ╚══╝╚══╝ ╚══════╝ ╚═════╝╚═╝  ╚═╝╚═╝  ╚═══╝
        Github: https://github.com/marcocesarato/PHP-Antimalware-Scanner

                               version 0.7.5.177

                            PHP Antimalware Scanner
                           Created by Marco Cesarato

Start scanning...
Scan date: 07-01-2021 09:27:57
Scanning /PHP-Malware-Collection/shell/php-backdoor.php

Mapping and retrieving checksums, please wait...

Found 1 files to check

Checking files...

[>                              ] 0%  0/1 [0 sec/0 sec]

PROBABLE MALWARE FOUND!
/PHP-Malware-Collection/shell/php-backdoor.php

=================================== PREVIEW ====================================

  27 | if(isset($_REQUEST['c'])){
  28 |  echo "<pre>";
  29 |  system($_REQUEST['c']);
  30 |  die;
  31 | }

================================================================================

Checksum: 2b5cb105c4ea9b5ebc64705b4bd86bf7
File path: /PHP-Malware-Collection/shell/php-backdoor.php

Evil code found:
[!] Exploit `execution` [line 29]
    - RCE (Remote Code Execution) allow remote attackers to execute PHP code on the target machine via HTTP
      => system($_REQUEST['c'])
[!] Function `system` [line 28]
    - Encoded Function `system`
      => ";
        system($_REQUEST['c'])
[!] Sign `100` [line 29]
    - Definition sign `100`
      => system($_REQUEST[
[!] Sign `110` [line 28]
    - Definition sign `110`
      => echo "<pre>";
        system($_REQUEST['c']);
        die;

OPTIONS:

    [1] Delete file
    [2] Move to quarantine
    [3] Dry run evil code fixer
    [4] Dry run evil line code fixer
    [5] Open with vim
    [6] Open with nano
    [7] Add to whitelist
    [8] Show source
    [-] Ignore


amwscan > What is your choice?  -

File '/PHP-Malware-Collection/shell/php-backdoor.php' skipped!

Scan finished!

                                    SUMMARY

Files scanned: 1
Files edited: 0
Files quarantined: 0
Files whitelisted: 0
Files ignored: 1

Malware detected: 1
Malware removed: 0

Files ignored:
/PHP-Malware-Collection/shell/php-backdoor.php

About this document

This document is regulated by the EUPL v1.2 license, published in WP SysAdmin and created by Javier Casares. Please, if you use this content in your website, your presentation or any material you distribute, remember to mention this site or its author, and having to put the material you create under EUPL license.