Posted by tetley at 2020-02-26

About OWASP Web Malware Scanner is a simple malware scanner for web applications. It can be used to identify compromised Wordpress, Joomla and other popular web application installations. Official OWASP Project Page Requirements python >= 2.7 Installation Usage To scan for compromised installations : Signature database OWASP Web Malware Scanner uses a community-driven malware signature database to detect malwares. Signatures are found under the signatures/ folder. Each signature must be a textfile, that contains the following JSON object:

{ "Database_Name": "Generic malware database", "Database_Signatures": [ { "Malware_Name": "Generic PHP Malware", "Malware_Signatures": ["function.*for.*strlen.*isset"] } ] }

The 'Database_Signatures' object must be an array of objects that must contains the malware name (Malware_Name) and the signature's array of regular expressions (Malware_Signatures). If the content of a file matches one of these regular expression, it will be marked as infected. The signatures for PHP files are in 'signatures/php/'. The signatures for Javascript files are in 'signatures/js/'. OWASP Web Malware Scanner also performs md5 file checksums. MD5 file signatures are in 'signatures/checksum/'. A MD5 signature database must be a text file that contains the following JSON object:

{ "Database_Name": "Generic malware hash database", "Database_Hash": [ { "Malware_Name": "Zip.Trojan.Container", "Malware_Hash": "e27122ba785627fca79b4a19c8eea38b" } ] }