Real-time malware detection plugin for aaPanel with 55+ signatures, YARA rules, entropy analysis, WordPress core verification, and auto-quarantine.
aaPanel security plugin — Protect your websites from webshells, backdoors, and malware with automated scanning and real-time file monitoring.
ShieldScan is a free aaPanel plugin that provides enterprise-level malware scanning for your server.
| Signatures | 55+ regex patterns, YARA rules, hash matching |
| ML Engine | Shannon entropy + statistical/AST heuristics |
| Performance | Aggressive multi-threaded parallel scanning |
| Remediation | Auto-quarantine & Smart Code Cleaning (extraction) |
| Real-time | Inotify watcher with auto-quarantine |
| WordPress | Core checksums, plugin CVEs, DB scan, auto-update |
| Integrity | Baseline diffing for tamper detection |
| Reporting | PDF export, scan history, visual dashboard |
- Download the plugin as a
.zipfile - Log in to your aaPanel dashboard
- Go to App Store from the left sidebar
- Click Import (top-right corner)
- Upload the
.zipfile - Click Install — done
All optional — the scanner works standalone with regex signatures:
| Package | Purpose |
|---|---|
| yara-python | YARA rule engine |
| requests | WP API, webhooks |
| reportlab | PDF reports |
| pymysql | WP database scan |
| inotify | Real-time monitoring |
| WP-CLI | Plugin auto-update |
| Category | Count | Covers |
|---|---|---|
| Webshell | 10 | eval injection, known shells (c99, r57, b374k, WSO, Alfa) |
| Backdoor | 5 | RFI/LFI, reverse shell, upload exploits |
| Obfuscation | 8 | base64/hex/chr chains, gzinflate, pack() |
| Malware | 6 | miners, mailers, phishing kits, skimmers, keyloggers |
| WordPress | 20+ | fake plugins, cron backdoors, REST exploits, WooCommerce skimmers |
| Evasion | 4 | string concat, variable variables, reflection API |
| Privilege Escalation | 2 | symlink attacks, sensitive file reads |
| Exfiltration | 2 | DNS exfil, WebSocket theft |
Extracts 10 statistical and AST-like features per file:
- Shannon entropy
- Chi-square distribution
- ASCII ratio
- Non-printable byte ratio
- Longest line length
- Compression ratio
- Keyword density
- Line length variance
- Dynamic function calls (e.g.
$var()) - Chained obfuscation routines (e.g.
eval(base64_decode(gzinflate(...))))
Classifies as: clean / suspicious / malicious / legitimate_obfuscated
Recognizes legitimate tools: ionCube, SourceGuardian, Zend Guard, phpSHIELD.
| Check | Method |
|---|---|
| Core integrity | Verifies files against WordPress.org checksum API |
| Plugin CVEs | Checks versions against vulnerability database |
| Database scan | Advanced REGEX for obfuscated JS/iframes in wp_options, wp_posts, wp_comments |
| Config audit | Debug mode, file editing, table prefix, key strength, permissions |
| Upload dir | PHP files in uploads, images with embedded PHP |
| mu-plugins | Auto-loaded backdoors |
| .htaccess | External redirects, PHP execution in uploads |
| Admin audit | Lists admin users, flags recent creations |
| Auto-update | Updates vulnerable plugins via WP-CLI |
- Monitors configured paths via Linux inotify
- Scans new/modified PHP files instantly
- Auto-quarantine mode (optional)
- Webhook alerts: Telegram, Discord, Slack
malwarescan/
├── info.json
├── install.sh
├── malwarescan_main.py # Core engine (60 API methods)
├── ml_classifier.py # ML entropy classifier
├── realtime_watcher.py # Inotify file watcher
├── report_generator.py # PDF report generator
├── wp_advanced.py # WordPress advanced scanner
├── index.html # 10-tab UI
└── ico-malwarescan.png # Plugin icon
| Tab | Function |
|---|---|
| Dashboard | Stats, dynamic Chart.js metrics, dark mode toggle |
| Scan | Background scan with live progress |
| Integrity | Baseline creation, change detection |
| Quarantine | Restore or permanently delete isolated files |
| Schedule | Recurring scans (6h / 12h / daily / weekly) |
| Reports | History, PDF export |
| Whitelist | Path exclusions |
| WordPress | Deep scan, checksums, CVEs, DB scan, auto-update |
| Realtime | File watcher, auto-quarantine, webhook config |
| ML Scan | Entropy classification, feature breakdown |
All endpoints: POST /plugin?action=a&name=malwarescan&s={method}
Scanning — scan_path, scan_status, scan_file
WordPress — wp_scan, wp_verify_checksums, wp_check_vulns, wp_scan_database, wp_auto_update
ML — ml_classify_file, ml_classify_path, ml_train
Realtime — watcher_start, watcher_stop, watcher_status, watcher_events, watcher_config
Remediation — clean_file, quarantine_file, restore_file, delete_quarantined, list_quarantine
Reports — generate_pdf_report, list_pdf_reports, delete_pdf_report
Integrity — integrity_create_baseline, integrity_check
Schedule — schedule_add, schedule_list, schedule_remove, schedule_toggle
Hourly cron checks for due scans (installed automatically):
0 * * * * cd /www/server/panel && python3 -c "..." >> logs/cron.log 2>&1
Configure via UI or API:
{
"watch_paths": ["/www/wwwroot/site1.com", "/www/wwwroot/site2.com"],
"auto_quarantine": true,
"alert_webhook": "https://hooks.slack.com/services/..."
}Drop .yar files into /www/server/panel/plugin/malwarescan/rules/
- Runs as root (aaPanel context)
- Quarantine directory:
chmod 700 - Python modules:
chmod 600 - Auto-quarantine disabled by default
- Whitelist supports file and directory paths
- No external data transmission without explicit webhook config
MIT
aapanel aapanel-plugin malware-scanner webshell-detection wordpress-security php-malware server-security file-integrity yara-rules real-time-protection baota bt-panel security-plugin