The PHP script reads two text files – ‘malicious.txt and ‘urls.txt’ : the first containing a list of web pages to be scanned and the other containing malicious script signatures. The script scans the urls for malicious scripts and if any infections are found it saves the result in the ‘infected.txt’ file. The script needs to be run from the command line as you can easily see the progress of the scan if you are scanning a large number of urls.

D:\localhost\test\scan>php url_scan.php

A sample output of a scan is show below:

 
D:\localhost\test\scan>php url_scan.php
 
Checking 3 sites for malicious scripts.
3 malicious signatures in file.
---------------------------------------------------------
 
Now scanning :http://www.amazon.com/
[OK]
---------------------------------------------------------
 
Now scanning :http://www.google.com/
[OK]
---------------------------------------------------------
 
Now scanning :http://www.example.com/admin.php
[OK]
---------------------------------------------------------
 
Total 0 sites infected of 3

Note that the script only scans the url path given and not the complete web site. So if given a url like ‘http://www.example.com’ it will only scan the index file of the site. It may happen that the index file may not be infected but some other file in a sub-directory is, in that case the malicious code will not be found. But a larger percentage of malicious script injections are usually inflicted on the index page.

Setting a cron for automatic scanning

The best way to regularly check for any infections is to setup the script as a cron job. This can help you in checking malicious script on a regular interval, the cron job can then send the ‘infected.txt’ file via a email if any infections are found.

Updating your malicious.txt file

You cannot fight new code injections if your ‘malicious.txt’ file is not updated. So if you find some new malicious Javascript code, then it is essential that you include a new signature in the file. Well I know I’m putting the cart before the horse but you can find various new information about infections at malware.com.br or malwaredomainlist.

Other ways to check malicious code injections

One main problem with the script is that if some new infection occurs and the signature is not in the ‘malicious.txt’ database then that particular infection will be missed. One other solution is to check the filesize of the particular url you are checking. The filesize needs to be added to the ‘urls.txt’ file, so the script can check to see if the filesize of the url scanned is the same as the one given. But for that we will need to use the ftp functions of php but we will leave that to another post.