Skip to content

hypexdigital/malware-sentry-php

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Malware Sentry — Universal PHP Agent

Malware scanner, file-integrity monitor, and request firewall for any PHP application — Laravel, Symfony, CodeIgniter, plain PHP, or a custom CMS. One file, no database, no Composer dependencies.

Shares the detection engine of the WordPress edition and reports to the same monitor server.

  • Version: 1.1.0
  • Requires: PHP 8.0+
  • License: GPLv2 or later (or a commercial license for closed-source / white-label use)

What it does

Capability How
Malware scan 45+ framework-agnostic signatures (eval/base64 chains, webshells, droppers, LFI/RFI, reflection & callback evasion, raw-socket egress, cryptominers, blockchain C2). PHP-tokenizer preprocessor defeats comment-injection obfuscation.
File integrity SHA-256 baseline of every PHP file; verify reports added / modified / removed files since baseline.
Request firewall Optional auto_prepend_file mode inspects every request for RCE, LFI/traversal, SQLi, and XSS — blocks critical/high, logs the rest.
Dashboard Token-protected read-only HTML status page.
Monitoring Reports scan + integrity status to the HypeX monitor server over HMAC.

Install

Drop malware-sentry.php anywhere in (or above) your app, then run it from the CLI:

php malware-sentry.php scan           # recursive malware scan
php malware-sentry.php baseline       # record an integrity baseline
php malware-sentry.php verify         # detect changed files since baseline
php malware-sentry.php status         # show last scan summary
php malware-sentry.php report         # send results to the monitor server
php malware-sentry.php version-check  # anonymous update check (see TELEMETRY.md)

Exit codes are CI-friendly: scan and verify exit 1 when threats/changes are found, 0 when clean.

Schedule it (cron)

# Daily scan + report at 03:00
0 3 * * *  cd /var/www/app && MS_SECRET=... MS_MONITOR_URL=... php malware-sentry.php scan && php malware-sentry.php report

Enable the firewall (optional)

Add to php.ini or a .user.ini in your web root:

auto_prepend_file = /var/www/app/malware-sentry.php

The agent auto-detects a web request and runs only the fast firewall path — never the scanner — on normal page loads. Control returns to your app immediately after inspection.

View the dashboard (optional)

export MS_DASH_TOKEN="a-long-random-string"

Then visit https://yoursite.com/malware-sentry.php?ms_dashboard=a-long-random-string.


Configuration (environment variables, all optional)

Variable Purpose Default
MS_ROOT Directory to scan / protect the agent file's directory
MS_SECRET 64+ char HMAC key for monitor reporting
MS_MONITOR_URL Monitor server base URL
MS_DASH_TOKEN Token for the web dashboard dashboard disabled
MS_WAF 0 to disable the firewall 1 (enabled)

State (baseline, results, firewall log) is stored as JSON in a .malware-sentry/ directory next to the app, protected with its own .htaccess deny rule.


Security notes

  • The agent never modifies your application files. Scan and integrity checks are strictly read-only; only its own .malware-sentry/ state dir is written.
  • Pattern strings are split with concatenation so the file does not trip hosting-level scanners against itself, and it excludes itself from scans.
  • The firewall blocks only critical/high matches by default; XSS (medium) is logged but allowed through to avoid breaking rich-text form submissions.

License & commercial use

Malware Sentry is dual-licensed:

  • GPL-2.0-or-later (default, free) — use, modify, and redistribute, as long as your derivative stays open source under the GPL and keeps attribution intact.
  • Commercial license — for customising, white-labelling, reselling, or bundling it into a closed-source or paid product without GPL obligations.

Using AI to customise the agent is welcome — but if the result is a closed-source or commercial product, it falls under the commercial license. See LICENSE-COMMERCIAL.md or contact HypeX Digital.

Telemetry & privacy

The agent runs an anonymous version check (at most once per 24h during a scan) so we can understand adoption and flag security updates. It sends a non-reversible install ID + edition + version only — never your domain, files, findings, or any personal data. Disable it any time with MS_NO_TELEMETRY=1. Full details in TELEMETRY.md.


Built by HypeX Digital.

About

Universal PHP malware scanner, file-integrity monitor & request firewall (Laravel, Symfony, plain PHP). By HypeX Digital.

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages