Skip to content

JayHackPro/JayShield

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

JayShield by JayHackPro, find and remove web malware

A fast, dependency-free malware scanner and remover for websites and servers.
Point it at a folder, see exactly what is infected, then quarantine the threats safely.

npm License Node Dependencies CI

Website · npm · by JayHackPro


Why JayShield

When a website is hacked, the attacker usually leaves something behind: a PHP webshell in the uploads folder, an obfuscated backdoor tacked onto a real file, an invisible iframe on the homepage, or a cryptocurrency miner buried in a script. Finding these by hand across thousands of files is slow and easy to get wrong.

JayShield does it in seconds. It reads every file, matches it against a library of malware techniques, checks its exact fingerprint against known bad files, and looks for the telltale shapes of packed and hidden code. Then it shows you a clear, ranked report and offers to move the threats into a local vault so your site stops serving them right away.

It is one small tool with no dependencies, so you can trust it, read it, and run it anywhere Node is installed.

Quick start

No install required, run it straight from npm:

npx @jayhackpro/jayshield ./public_html

Prove it works on your machine first, using the harmless, industry-standard test file:

npx @jayhackpro/jayshield --selftest

Or install it once and call it by name:

npm install -g @jayhackpro/jayshield
jayshield ./public_html

The examples below write jayshield for short, meaning however you choose to run it.

What a scan looks like

A report ranked by severity, with the exact line and a plain-language reason for every finding:

A JayShield scan in a terminal: the JayHackPro banner, a CRITICAL obfuscated eval finding and a HIGH hidden-iframe finding, a severity summary, and a safe-removal hint

What it catches

  • Webshells: c99, r57, WSO, b374k, FilesMan, and the generic remote file managers and command runners built on the same patterns.
  • Backdoors: eval of request input, variable functions driven by $_GET and $_POST, the preg_replace /e trick, remote payloads that are fetched and run, hardcoded password gates, and reverse shells.
  • Obfuscation: decode then run payloads, character code and hex string tricks, packed one-liners, and large encoded blobs paired with a decoder.
  • Injected front-end malware: hidden or zero-size iframes, document.write of unescaped markup, eval(atob(...)), and redirects to decoded URLs.
  • Cryptocurrency miners: CoinHive and the browser mining scripts that spend your visitors' devices.
  • Skimmers and spam: session cookie exfiltration and blocks of hidden SEO or pharma spam links.
  • Disguised files: PHP hidden inside something that claims to be an image, double extensions like invoice.pdf.php, and executable scripts sitting in an uploads folder where only static files belong.
  • Known bad files: exact matches against a hash set you can extend, plus the EICAR antivirus test file.

Remove threats safely

JayShield never deletes your files. When you are ready to clean up, quarantine moves each flagged file into a local vault and records where it came from, so your live site stops serving it at once while every byte is kept.

# preview what would move, changing nothing
jayshield ./public_html --quarantine --dry-run

# move every threat into the vault
jayshield ./public_html --quarantine

# see what is in the vault
jayshield --list

# put a file back if a detection was wrong
jayshield --restore <id>

# put everything back
jayshield --restore

If you have confirmed the files are malicious and want the disk space back, and only then, you can permanently delete the vault:

jayshield --purge --yes

Command reference

jayshield [paths...] [options]
Option What it does
--quarantine Move every threat into the local vault
--restore [id] Put quarantined files back, one or all
--list Show what is in the vault
--purge --yes Permanently delete the vault (last resort)
--min-severity <level> critical, high, medium, or low
--ignore-rule <id,...> Silence one or more rules by id
--hashes <file> Add known bad sha256 hashes, one per line
--max-size <MB> Skip files larger than this (default 5)
--vault <dir> Quarantine folder (default .jayshield-quarantine)
--follow-symlinks Follow symbolic links (off by default)
--dry-run Show actions without changing anything
--json Machine-readable output for pipelines
--no-color Plain text
--no-banner Hide the startup banner
--banner Print the JayHackPro banner and exit
-v, --verbose Include rule ids and references
--selftest Detect the EICAR test file end to end
-V, --version Print the version
-h, --help Show help

Exit codes: 0 clean, 1 threats found, 2 error. That makes JayShield easy to drop into a CI pipeline or a cron job.

Use it in a pipeline

# fail the build if anything high or worse is found
jayshield ./release --min-severity high || exit 1

# save a JSON report
jayshield ./public_html --json > jayshield-report.json

Use it from code

Install it, then import the pieces you need:

npm install @jayhackpro/jayshield
import { scan, quarantineFiles } from "@jayhackpro/jayshield";

const result = await scan(["./public_html"]);
console.log(`${result.infected.length} infected of ${result.stats.scanned} scanned`);

if (result.infected.length) {
  await quarantineFiles(result.infected, { vaultDir: ".vault" });
}

Extend it

Add your own known bad hashes. Keep a text file with one sha256 per line, an optional label after it, and pass it with --hashes:

# my-threats.txt
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855  seen on client site

Silence a noisy rule. If a rule flags something you know is safe, pass its id:

jayshield . --ignore-rule js.packer,spam.pharma

Write new rules. Signatures live in src/rules.js as small, readable objects. Each one has an id, a severity, the file kinds it applies to, and a pattern. Add one, add a test in test/rules.test.mjs, and send a pull request.

What it is, and what it is not

JayShield is a fast first responder for web malware. It is excellent at finding the webshells, backdoors, injections, and known bad files that make up the large majority of website compromises, and at removing them without data loss.

It is not a full endpoint protection suite and does not run in the kernel or watch memory in real time. On a busy production server it works best alongside a host scanner and a web application firewall, as the fast, readable, scriptable layer you can run on demand and in your pipelines. Signatures find known techniques, so pair a scan with good backups and prompt updates.

Development

npm test        # run the full suite on Node's built in test runner
npm run selftest

Zero runtime dependencies, by design. A security tool should be small enough to read.

About JayHackPro

JayShield is built and maintained by JayHackPro® Inc., a software development company focused on cybersecurity, based in Los Angeles, California.

Let's make the world a better place.

Designed by Jayden Yoon ZK.

License

MIT. Use it freely in your own projects and on your own servers, and keep the notice. The brand stays behind the code.

About

Find and remove web malware, webshells, and backdoors. A fast, dependency-free malware scanner and quarantine tool by JayHackPro.

Topics

Resources

License

Contributing

Security policy

Stars

0 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors