Mighty Backdoor Analysis Engine
"Inspired by Erlik Khan, the powerful deity of Turkish mythology"
Features • Installation • Usage • False Positive Prevention • Roadmap • Contributing
🌐 Website • 🐦 Twitter • 💻 GitHub
ERKLIG is a powerful, open-source security tool written in Go, designed to detect hidden backdoors, web shells, and malicious code snippets in web servers. Built for security professionals, system administrators, and developers who need to quickly scan and analyze potentially compromised web applications.
Complete rewrite in Go! ERKLIG now features parallel scanning, entropy-based detection, and professional HTML reports. The original Bash version is preserved as
erklig-lite.shfor lightweight deployments.
Erklig (Erklik): Means "mighty" and "powerful" in Turkish mythology. Derived from Erlik Khan, the ruler of the underworld in Turkic mythology. Just as Erlik Khan governs the dark realm, ERKLIG uncovers threats hiding in the dark corners of your servers.
| Phase | Type | Description |
|---|---|---|
| Phase 1 | Signature-Based | Scans for 30+ known malware patterns and dangerous functions |
| Phase 2 | Anomaly Detection | Identifies suspicious double extensions (.jpg.php, .txt.php) |
| Phase 3 | Permission Analysis | Flags files with dangerous permissions (777, 666) |
| Phase 4 | Entropy Analysis | Detects obfuscated/encrypted code |
- Parallel Scanning: Multi-threaded with configurable concurrency
- 10x Faster: Compared to Bash version on large codebases
- Cross-Platform: Linux, macOS, Windows support
- Single Binary: No dependencies, just download and run
Command Execution : shell_exec, passthru, system(), popen, proc_open, pcntl_exec
Code Evaluation : eval(), assert(), preg_replace with /e modifier
Encoding/Obfuscation : base64_decode, gzinflate, gzuncompress, str_rot13
Known Webshells : FilesMan, WSO, c99shell, r57shell
Network Functions : fsockopen, socket_accept, curl_exec
Filesystem Abuse : symlink, chmod, chown
- Whitelist System: Automatically excludes known safe directories
- CMS-Aware: Pre-configured for WordPress, Joomla, Laravel, and more
- Extension Filtering: Only scans relevant web file types
- Interactive Review: Manual confirmation before flagging threats
- Step-by-step file review with progress indicator
- Syntax-highlighted code viewing (with
batsupport) - One-key threat marking or safe flagging
- File metadata display (size, date, permissions)
- Detailed threat report generation
- Cleanup command suggestions
- Color-coded terminal output
# Download latest release
curl -sSL https://github.com/iamcanturk/erklig/releases/latest/download/erklig-linux-amd64 -o erklig
chmod +x erklig
# Or for macOS (Apple Silicon)
curl -sSL https://github.com/iamcanturk/erklig/releases/latest/download/erklig-darwin-arm64 -o erklig
chmod +x erkligRequirements:
- Go 1.21+ (https://go.dev/dl/)
# Clone the repository
git clone https://github.com/iamcanturk/erklig.git
cd erklig
# Build
go build -o erklig ./cmd/erklig
# Or install globally
go install ./cmd/erkligFor lightweight deployments without Go:
# Download Bash version
curl -sSL https://raw.githubusercontent.com/iamcanturk/erklig/main/erklig-lite.sh -o erklig-lite.sh
chmod +x erklig-lite.sh# Scan a directory
./erklig -t /var/www/html
# Scan with reports
./erklig -t /var/www/html --json --html -o threat_report
# Scan files modified in last 30 days
./erklig -t /var/www/html --days 30
# Non-interactive mode (for scripts/CI)
./erklig -t /var/www/html --no-interact| Flag | Description |
|---|---|
-t, --target |
Target directory to scan |
-o, --output |
Output file name (without extension) |
--json |
Generate JSON report |
--html |
Generate HTML report |
--days |
Only scan files modified within N days |
--no-interact |
Non-interactive mode |
-v, --version |
Show version |
-h, --help |
Show help |
ERKLIG includes a built-in web dashboard for visual scan management:
# Start dashboard on default port (8080)
./erklig serve
# Start on custom port
./erklig serve --port 3000Dashboard Features:
- 📊 Real-time scan statistics
- 🔍 Start and monitor scans visually
- 📋 Interactive threat reports
- 🔄 WebSocket-based live updates
- 🌙 Dark theme interface
REST API Endpoints:
| Method | Endpoint | Description |
|---|---|---|
POST |
/api/scan |
Start new scan |
GET |
/api/scans |
List all scans |
GET |
/api/scan/:id |
Get scan status |
GET |
/api/report/:id |
Get scan report |
DELETE |
/api/scan/:id |
Delete scan |
GET |
/api/info |
System info |
Example API Usage:
# Start a scan
curl -X POST http://localhost:8080/api/scan \
-H "Content-Type: application/json" \
-d '{"target":"/var/www/html","days":30}'
# Get scan results
curl http://localhost:8080/api/scans| Key | Action | Description |
|---|---|---|
T |
Threat | Mark file as malicious, add to report |
S |
Safe | Mark file as safe, skip to next |
V |
View | Open full source code in viewer |
Q |
Quit | Exit analysis immediately |
███████╗██████╗ ██╗ ██╗██╗ ██╗ ██████╗
██╔════╝██╔══██╗██║ ██╔╝██║ ██║██╔════╝
█████╗ ██████╔╝█████╔╝ ██║ ██║██║ ███╗
██╔══╝ ██╔══██╗██╔═██╗ ██║ ██║██║ ██║
███████╗██║ ██║██║ ██╗███████╗██║╚██████╔╝
╚══════╝╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝╚═╝ ╚═════╝
⚔️ ERKLIG BACKDOOR ANALYSIS SYSTEM ⚔️
v1.3.0 - Mighty Engine
by Can TURK | https://iamcanturk.dev
[PHASE 1/3] Running signature-based code analysis...
[PHASE 2/3] Scanning for file extension anomalies...
[PHASE 3/3] Checking for permission anomalies...
╔══════════════════════════════════════════════════════════════╗
║ ⚠ ALERT: 5 potential threat(s) detected ║
╚══════════════════════════════════════════════════════════════╝
# Generate all report formats
./erklig -t /var/www/html --json --html -o security_scan
# This creates:
# - security_scan.txt (text report)
# - security_scan.json (machine-readable)
# - security_scan.html (professional dark-theme report)# Review the report first!
cat security_scan.txt
# Interactive deletion (confirms each file)
xargs rm -i < security_scan.txt
# Bulk deletion (use with caution!)
xargs rm < security_scan.txtERKLIG implements multiple strategies to minimize false positives:
The following directories are automatically excluded from scanning:
./vendor/ # Composer dependencies
./node_modules/ # Node.js packages
./.git/ # Git repository data
./wp-includes/ # WordPress core
./wp-admin/ # WordPress admin
./libraries/ # Common framework libraries
./core/ # Framework core files
./framework/ # Framework files
Only web-relevant files are scanned:
- PHP:
.php,.phtml,.php3,.php4,.php5,.php7,.inc - ASP:
.asp,.aspx - Scripts:
.js,.py,.pl,.cgi
Every detected file requires manual confirmation:
- View the actual code before marking as threat
- Context-aware snippets showing matched patterns
- File metadata for informed decisions
Add your own directories to the whitelist in erklig.sh:
WHITELIST_DIRS=(
"./vendor/"
"./node_modules/"
# Add your custom directories here
"./my-safe-directory/"
)- CMS auto-detection with pre-built whitelists
- Entropy-based analysis for obfuscated code
- Machine learning-based threat scoring
- Community-maintained signature database
See ROADMAP.md for detailed development plans.
- Performance optimization with extension filtering
- Whitelist system for known safe directories
- Date-based filtering (scan recent files only)
- Enhanced output format with detection reasons
- High entropy detection (obfuscated code)
- Short/meaningless variable detection
- Permission anomaly checks
- Single-line malware detection
- Syntax highlighting integration
- Progress indicator
- HTML/JSON report generation
- Professional dark-theme reports
- YAML configuration file
- REST API server mode
- CI/CD integration (GitHub Actions, GitLab CI)
- Real-time file monitoring
ERKLIG is 100% open source and community-driven!
We welcome contributions of all kinds:
- 🐛 Bug reports and fixes
- 💡 New feature ideas
- 🔍 New malware signatures
- 📝 Documentation improvements
- 🌍 Translations
- Fork the repository
- Create a feature branch (
git checkout -b feature/AmazingFeature) - Commit your changes (
git commit -m 'Add AmazingFeature') - Push to the branch (
git push origin feature/AmazingFeature) - Open a Pull Request
See CONTRIBUTING.md for detailed guidelines.
This tool is designed for educational purposes and authorized security testing only.
Use ERKLIG only on:
- ✅ Your own servers
- ✅ Systems you have written permission to test
- ✅ Legal penetration testing engagements
Unauthorized access to computer systems is illegal.
This project is licensed under the MIT License - see the LICENSE file for details.
Can TÜRK
Security Researcher & Developer
🌐 iamcanturk.dev • 🐦 @iamcanturk • 💻 GitHub
If ERKLIG helped you, please consider:
- ⭐ Starring this repository
- 🐦 Sharing on Twitter
- 📝 Writing about your experience
- 🤝 Contributing to the project
ERKLIG is built with the help of these amazing open-source projects:
| Library | Author | Description |
|---|---|---|
| Cobra | Steve Francia | CLI framework |
| Color | Fatih Arslan | Terminal colors |
| Progressbar | Zack Scholl | Progress indicators |
| YAML.v3 | Go-YAML | YAML parser |
| Resource | Description |
|---|---|
| OWASP | Web security guidelines |
| VirusTotal | Malware research |
| MalwareBazaar | Threat intelligence |
- PHP Malware Finder - YARA-based scanner
- Linux Malware Detect - LMD project
- ClamAV - Open source antivirus
⚔️ ERKLIG - Your Server's Mighty Guardian ⚔️
Made with ❤️ by Can TÜRK

