Malware scanner, file-integrity monitor, and request firewall for any PHP application — Laravel, Symfony, CodeIgniter, plain PHP, or a custom CMS. One file, no database, no Composer dependencies.
Shares the detection engine of the WordPress edition and reports to the same monitor server.
- Version: 1.1.0
- Requires: PHP 8.0+
- License: GPLv2 or later (or a commercial license for closed-source / white-label use)
| Capability | How |
|---|---|
| Malware scan | 45+ framework-agnostic signatures (eval/base64 chains, webshells, droppers, LFI/RFI, reflection & callback evasion, raw-socket egress, cryptominers, blockchain C2). PHP-tokenizer preprocessor defeats comment-injection obfuscation. |
| File integrity | SHA-256 baseline of every PHP file; verify reports added / modified / removed files since baseline. |
| Request firewall | Optional auto_prepend_file mode inspects every request for RCE, LFI/traversal, SQLi, and XSS — blocks critical/high, logs the rest. |
| Dashboard | Token-protected read-only HTML status page. |
| Monitoring | Reports scan + integrity status to the HypeX monitor server over HMAC. |
Drop malware-sentry.php anywhere in (or above) your app, then run it from the CLI:
php malware-sentry.php scan # recursive malware scan
php malware-sentry.php baseline # record an integrity baseline
php malware-sentry.php verify # detect changed files since baseline
php malware-sentry.php status # show last scan summary
php malware-sentry.php report # send results to the monitor server
php malware-sentry.php version-check # anonymous update check (see TELEMETRY.md)Exit codes are CI-friendly: scan and verify exit 1 when threats/changes
are found, 0 when clean.
# Daily scan + report at 03:00
0 3 * * * cd /var/www/app && MS_SECRET=... MS_MONITOR_URL=... php malware-sentry.php scan && php malware-sentry.php reportAdd to php.ini or a .user.ini in your web root:
auto_prepend_file = /var/www/app/malware-sentry.phpThe agent auto-detects a web request and runs only the fast firewall path — never the scanner — on normal page loads. Control returns to your app immediately after inspection.
export MS_DASH_TOKEN="a-long-random-string"Then visit https://yoursite.com/malware-sentry.php?ms_dashboard=a-long-random-string.
| Variable | Purpose | Default |
|---|---|---|
MS_ROOT |
Directory to scan / protect | the agent file's directory |
MS_SECRET |
64+ char HMAC key for monitor reporting | — |
MS_MONITOR_URL |
Monitor server base URL | — |
MS_DASH_TOKEN |
Token for the web dashboard | dashboard disabled |
MS_WAF |
0 to disable the firewall |
1 (enabled) |
State (baseline, results, firewall log) is stored as JSON in a .malware-sentry/
directory next to the app, protected with its own .htaccess deny rule.
- The agent never modifies your application files. Scan and integrity checks
are strictly read-only; only its own
.malware-sentry/state dir is written. - Pattern strings are split with concatenation so the file does not trip hosting-level scanners against itself, and it excludes itself from scans.
- The firewall blocks only
critical/highmatches by default; XSS (medium) is logged but allowed through to avoid breaking rich-text form submissions.
Malware Sentry is dual-licensed:
- GPL-2.0-or-later (default, free) — use, modify, and redistribute, as long as your derivative stays open source under the GPL and keeps attribution intact.
- Commercial license — for customising, white-labelling, reselling, or bundling it into a closed-source or paid product without GPL obligations.
Using AI to customise the agent is welcome — but if the result is a closed-source
or commercial product, it falls under the commercial license. See
LICENSE-COMMERCIAL.md or contact
HypeX Digital.
The agent runs an anonymous version check (at most once per 24h during a
scan) so we can understand adoption and flag security updates. It sends a
non-reversible install ID + edition + version only — never your domain, files,
findings, or any personal data. Disable it any time with MS_NO_TELEMETRY=1.
Full details in TELEMETRY.md.
Built by HypeX Digital.