shell-detector looks like the malware it says it's scanning about php-shell-detector HOT 12 OPEN

i mean, do i read this properly? isn't this running eval on the malicious code it just detected?

https://github.com/emposha/PHP-Shell-Detector/blob/master/shelldetect.php#L470

wtf?

from php-shell-detector.

And why is everything detected as Positive, its a 1405674947 (all files are clean on testserver)?
Even the language files are detected as shell.

from php-shell-detector.

@anarcat, @DanielRuf

1. first of all remote db is used only when you set proper flag, otherwise you can use local version.
2. the eval is running on replaced version of php code, and this try to encode decoded version. You probably miss the preg_replace part...

from php-shell-detector.

@DanielRuf about (Positive, its a 1405674947) probably some false positive, can you provide more info about thins

from php-shell-detector.

I just run PHP Shell Detector on a normal WordPress website with full rights and got this positive detection on all files.

from php-shell-detector.

But this does not describe why the db file is a huge base64 encoded string (which adds ~30% overhead).

from php-shell-detector.

I might be wrong but isn't the database file world-writable after an update? So possibly a privilege escalation to the user running shell-detector would be possible.

from php-shell-detector.

hi i got the error
Error: file_get_contents(): https:// wrapper is disabled in the server configuration by allow_url_fopen=0 line: 243
Error: file_get_contents(https://raw.github.com/emposha/PHP-Shell-Detector/master/version/app): failed to open stream: no suitable wrapper could be found line: 243
Cant connect to server! Application version check failed!
Error: file_get_contents(): https:// wrapper is disabled in the server configuration by allow_url_fopen=0 line: 251
Error: file_get_contents(https://raw.github.com/emposha/PHP-Shell-Detector/master/version/db): failed to open stream: no suitable wrapper could be found line: 251
Cant connect to server! Version check failed!

can someone tell me how do i solve this error ?

from php-shell-detector.

Please check your php.ini and ask your hosting provider @RameshMaharjan

from php-shell-detector.

I know have problem with Backdoor:PHP/CryptInject.YA but not detected by scanner

from php-shell-detector.

Hi @6a6ak,

I know have problem with Backdoor:PHP/CryptInject.YA but not detected by scanner

This project looks for files with specific file hashes. Backdoor:PHP/CryptInject.YA might not be part of the file hashes by default.

Did you manually create the file hashes for the scanner?

from php-shell-detector.

See https://github.com/emposha/PHP-Shell-Detector/blob/master/shelldetect.db for the database file.

A file hash based approach is not very reliable as the smallest change will result in a completely different file hash.

from php-shell-detector.