/src/rootcheck/db/rootkit_files.txt
Plain Text | 492 lines | 361 code | 131 blank | 0 comment | 0 complexity | dd351ce236207391bf8e43850ac200f8 MD5 | raw file
Possible License(s): GPL-2.0
- # @(#) $Id: ./src/rootcheck/db/rootkit_files.txt, 2011/09/08 dcid Exp $
- #
- # rootkit_files.txt, (C) Daniel B. Cid
- # Imported from the rootcheck project.
- #
- # Lines starting with '#' are not going to be read.
- # Blank lines are not going to be read too.
- #
- # Each line must be in the following format:
- # file_name ! Name ::Link to it
- # Files that start with an '*' are going to be searched
- # in the whole system.
- # Bash door
- tmp/mcliZokhb ! Bash door ::/rootkits/bashdoor.php
- tmp/mclzaKmfa ! Bash door ::/rootkits/bashdoor.php
- #adore Worm
- dev/.shit/red.tgz ! Adore Worm ::/rootkits/adorew.php
- usr/lib/libt ! Adore Worm ::/rootkits/adorew.php
- usr/bin/adore ! Adore Worm ::/rootkits/adorew.php
- */klogd.o ! Adore Worm ::/rootkits/adorew.php
- */red.tar ! Adore Worm ::/rootkits/adorew.php
- #T.R.K rootkit
- usr/bin/soucemask ! TRK rootkit ::/rootkits/trk.php
- usr/bin/sourcemask ! TRK rootkit ::/rootkits/trk.php
- # 55.808.A Worm
- tmp/.../a ! 55808.A Worm ::
- tmp/.../r ! 55808.A Worm ::
- # Volc Rootkit
- usr/lib/volc ! Volc Rootkit ::
- usr/bin/volc ! Volc Rootkit ::
- # Illogic
- lib/security/.config ! Illogic Rootkit ::rootkits/illogic.php
- usr/bin/sia ! Illogic Rootkit ::rootkits/illogic.php
- etc/ld.so.hash ! Illogic Rootkit ::rootkits/illogic.php
- */uconf.inv ! Illogic Rootkit ::rootkits/illogic.php
- #T0rnkit installed
- usr/src/.puta ! t0rn Rootkit ::rootkits/torn.php
- usr/info/.t0rn ! t0rn Rootkit ::rootkits/torn.php
- lib/ldlib.tk ! t0rn Rootkit ::rootkits/torn.php
- etc/ttyhash ! t0rn Rootkit ::rootkits/torn.php
- sbin/xlogin ! t0rn Rootkit ::rootkits/torn.php
- */ldlib.tk ! t0rn Rootkit ::rootkits/torn.php
- */.t0rn ! t0rn Rootkit ::rootkits/torn.php
- */.puta ! t0rn Rootkit ::rootkits/torn.php
- #RK17
- bin/rtty ! RK17 ::
- bin/squit ! RK17 ::
- sbin/pback ! RK17 ::
- proc/kset ! RK17 ::
- usr/src/linux/modules/autod.o ! RK17 ::
- usr/src/linux/modules/soundx.o ! RK17 ::
- # Ramen Worm
- usr/lib/ldlibps.so ! Ramen Worm ::rootkits/ramen.php
- usr/lib/ldlibns.so ! Ramen Worm ::rootkits/ramen.php
- usr/lib/ldliblogin.so ! Ramen Worm ::rootkits/ramen.php
- usr/src/.poop ! Ramen Worm ::rootkits/ramen.php
- tmp/ramen.tgz ! Ramen Worm ::rootkits/ramen.php
- etc/xinetd.d/asp ! Ramen Worm ::rootkits/ramen.php
- # Sadmind/IIS Worm
- dev/cuc ! Sadmind/IIS Worm ::
- #Monkit
- lib/defs ! Monkit ::
- usr/lib/libpikapp.a ! Monkit found ::
- #RSHA
- usr/bin/kr4p ! RSHA ::
- usr/bin/n3tstat ! RSHA ::
- usr/bin/chsh2 ! RSHA ::
- usr/bin/slice2 ! RSHA ::
- etc/rc.d/rsha ! RSHA ::
- #ShitC worm
- bin/home ! ShitC ::
- sbin/home ! ShitC ::
- usr/sbin/in.slogind ! ShitC ::
- #Omega Worm
- dev/chr ! Omega Worm ::
- #rh-sharpe
- bin/.ps ! Rh-Sharpe ::
- usr/bin/cleaner ! Rh-Sharpe ::
- usr/bin/slice ! Rh-Sharpe ::
- usr/bin/vadim ! Rh-Sharpe ::
- usr/bin/.ps ! Rh-Sharpe ::
- bin/.lpstree ! Rh-Sharpe ::
- usr/bin/.lpstree ! Rh-Sharpe ::
- usr/bin/lnetstat ! Rh-Sharpe ::
- bin/lnetstat ! Rh-Sharpe ::
- usr/bin/ldu ! Rh-Sharpe ::
- bin/ldu ! Rh-Sharpe ::
- usr/bin/lkillall ! Rh-Sharpe ::
- bin/lkillall ! Rh-Sharpe ::
- usr/include/rpcsvc/du ! Rh-Sharpe ::
- #Maniac RK
- usr/bin/mailrc ! Maniac RK ::
- #Showtee / romaniam
- usr/lib/.egcs ! Showtee ::
- usr/lib/.wormie ! Showtee ::
- usr/lib/.kinetic ! Showtee ::
- usr/lib/liblog.o ! Showtee ::
- usr/include/addr.h ! Showtee / Romanian rootkit ::
- usr/include/cron.h ! Showtee ::
- usr/include/file.h ! Showtee / Romaniam rootkit ::
- usr/include/syslogs.h ! Showtee / Romaniam rootkit ::
- usr/include/proc.h ! Showtee / Romaniam rootkit ::
- usr/include/chk.h ! Showtee ::
- usr/sbin/initdl ! Romanian rootkit ::
- usr/sbin/xntps ! Romanian rootkit ::
- #Optickit
- usr/bin/xchk ! Optickit ::
- usr/bin/xsf ! Optickit ::
- # LDP worm
- dev/.kork ! LDP Worm ::
- bin/.login ! LDP Worm ::
- bin/.ps ! LDP Worm ::
- # Telekit
- dev/hda06 ! TeLeKit trojan ::
- usr/info/libc1.so ! TeleKit trojan ::
- # Tribe bot
- dev/wd4 ! Tribe bot ::
- # LRK
- dev/ida/.inet ! LRK rootkit ::rootkits/lrk.php
- */bindshell ! LRK rootkit ::rootkits/lrk.php
- # Adore Rootkit
- etc/bin/ava ! Adore Rootkit ::
- etc/sbin/ava ! Adore Rootkit ::
- # Slapper
- tmp/.bugtraq ! Slapper installed ::
- tmp/.bugtraq.c ! Slapper installed ::
- tmp/.cinik ! Slapper installed ::
- tmp/.b ! Slapper installed ::
- tmp/httpd ! Slapper installed ::
- tmp./update ! Slapper installed ::
- tmp/.unlock ! Slapper installed ::
- tmp/.font-unix/.cinik ! Slapper installed ::
- tmp/.cinik ! Slapper installed ::
- # Scalper
- tmp/.uua ! Scalper installed ::
- tmp/.a ! Scalper installed ::
- # Knark
- proc/knark ! Knark Installed ::rootkits/knark.php
- dev/.pizda ! Knark Installed ::rootkits/knark.php
- dev/.pula ! Knark Installed ::rootkits/knark.php
- dev/.pula ! Knark Installed ::rootkits/knark.php
- */taskhack ! Knark Installed ::rootkits/knark.php
- */rootme ! Knark Installed ::rootkits/knark.php
- */nethide ! Knark Installed ::rootkits/knark.php
- */hidef ! Knark Installed ::rootkits/knark.php
- */ered ! Knark Installed ::rootkits/knark.php
- # Lion worm
- dev/.lib ! Lion Worm ::rootkits/lion.php
- dev/.lib/1iOn.sh ! Lion Worm ::rootkits/lion.php
- bin/mjy ! Lion Worm ::rootkits/lion.php
- bin/in.telnetd ! Lion Worm ::rootkits/lion.php
- usr/info/torn ! Lion Worm ::rootkits/lion.php
- */1iOn\.sh ! Lion Worm ::rootkits/lion.php
- # Bobkit
- usr/include/.../ ! Bobkit Rootkit ::rootkits/bobkit.php
- usr/lib/.../ ! Bobkit Rootkit ::rootkits/bobkit.php
- usr/sbin/.../ ! Bobkit Rootkit ::rootkits/bobkit.php
- usr/bin/ntpsx ! Bobkit Rootkit ::rootkits/bobkit.php
- tmp/.bkp ! Bobkit Rootkit ::rootkits/bobkit.php
- usr/lib/.bkit- ! Bobkit Rootkit ::rootkits/bobkit.php
- */bkit- ! Bobkit Rootkit ::rootkits/bobkit.php
- # Hidrootkit
- var/lib/games/.k ! Hidr00tkit ::
-
- # Ark
- dev/ptyxx ! Ark rootkit ::
- #Mithra Rootkit
- usr/lib/locale/uboot ! Mithra`s rootkit ::
- # Optickit
- usr/bin/xsf ! OpticKit ::
- usr/bin/xchk ! OpticKit ::
- # LOC rookit
- tmp/xp ! LOC rookit ::
- tmp/kidd0.c ! LOC rookit ::
- tmp/kidd0 ! LOC rookit ::
- # TC2 worm
- usr/info/.tc2k ! TC2 Worm ::
- usr/bin/util ! TC2 Worm ::
- usr/sbin/initcheck ! TC2 Worm ::
- usr/sbin/ldb ! TC2 Worm ::
- # Anonoiyng rootkit
- usr/sbin/mech ! Anonoiyng rootkit ::
- usr/sbin/kswapd ! Anonoiyng rootkit ::
- # SuckIt
- lib/.x ! SuckIt rootkit ::
- */hide.log ! Suckit rootkit ::
- lib/sk ! SuckIT rootkit ::
- # Beastkit
- usr/local/bin/bin ! Beastkit rootkit ::rootkits/beastkit.php
- usr/man/.man10 ! Beastkit rootkit ::rootkits/beastkit.php
- usr/sbin/arobia ! Beastkit rootkit ::rootkits/beastkit.php
- usr/lib/elm/arobia ! Beastkit rootkit ::rootkits/beastkit.php
- usr/local/bin/.../bktd ! Beastkit rootkit ::rootkits/beastkit.php
- # Tuxkit
- dev/tux ! Tuxkit rootkit ::rootkits/Tuxkit.php
- usr/bin/xsf ! Tuxkit rootkit ::rootkits/Tuxkit.php
- usr/bin/xchk ! Tuxkit rootkit ::rootkits/Tuxkit.php
- */.file ! Tuxkit rootkit ::rootkits/Tuxkit.php
- */.addr ! Tuxkit rootkit ::rootkits/Tuxkit.php
- # Old rootkits
- usr/include/rpc/ ../kit ! Old rootkits ::rootkits/Old.php
- usr/include/rpc/ ../kit2 ! Old rootkits ::rootkits/Old.php
- usr/doc/.sl ! Old rootkits ::rootkits/Old.php
- usr/doc/.sp ! Old rootkits ::rootkits/Old.php
- usr/doc/.statnet ! Old rootkits ::rootkits/Old.php
- usr/doc/.logdsys ! Old rootkits ::rootkits/Old.php
- usr/doc/.dpct ! Old rootkits ::rootkits/Old.php
- usr/doc/.gifnocfi ! Old rootkits ::rootkits/Old.php
- usr/doc/.dnif ! Old rootkits ::rootkits/Old.php
- usr/doc/.nigol ! Old rootkits ::rootkits/Old.php
- # Kenga3 rootkit
- usr/include/. . ! Kenga3 rootkit
- # ESRK rootkit
- usr/lib/tcl5.3 ! ESRK rootkit
- # Fu rootkit
- sbin/xc ! Fu rootkit
- usr/include/ivtype.h ! Fu rootkit
- bin/.lib ! Fu rootkit
- # ShKit rootkit
- lib/security/.config ! ShKit rootkit
- etc/ld.so.hash ! ShKit rootkit
- # AjaKit rootkit
- lib/.ligh.gh ! AjaKit rootkit
- lib/.libgh.gh ! AjaKit rootkit
- lib/.libgh-gh ! AjaKit rootkit
- dev/tux ! AjaKit rootkit
- dev/tux/.proc ! AjaKit rootkit
- dev/tux/.file ! AjaKit rootkit
- # zaRwT rootkit
- bin/imin ! zaRwT rootkit
- bin/imout ! zaRwT rootkit
- # Madalin rootkit
- usr/include/icekey.h ! Madalin rootkit
- usr/include/iceconf.h ! Madalin rootkit
- usr/include/iceseed.h ! Madalin rootkit
- # shv5 rootkit XXX http://www.askaboutskating.com/forum/.../shv5/setup
- lib/libsh.so ! shv5 rootkit
- usr/lib/libsh ! shv5 rootkit
- # BMBL rootkit (http://www.giac.com/practical/GSEC/Steve_Terrell_GSEC.pdf)
- etc/.bmbl ! BMBL rootkit
- etc/.bmbl/sk ! BMBL rootkit
- # rootedoor rootkit
- */rootedoor ! Rootedoor rootkit
- # 0vason rootkit
- */ovas0n ! ovas0n rootkit ::/rootkits/ovason.php
- */ovason ! ovas0n rootkit ::/rootkits/ovason.php
- # Rpimp reverse telnet
- */rpimp ! rpv21 (Reverse Pimpage)::/rootkits/rpimp.php
- # Cback Linux worm
- tmp/cback ! cback worm ::/rootkits/cback.php
- tmp/derfiq ! cback worm ::/rootkits/cback.php
- # aPa Kit (from rkhunter)
- usr/share/.aPa ! Apa Kit
- # enye-sec Rootkit
- etc/.enyelkmHIDE^IT.ko ! enye-sec Rootkit ::/rootkits/enye-sec.php
- # Override Rootkit
- dev/grid-hide-pid- ! Override rootkit ::/rootkits/override.php
- dev/grid-unhide-pid- ! Override rootkit ::/rootkits/override.php
- dev/grid-show-pids ! Override rootkit ::/rootkits/override.php
- dev/grid-hide-port- ! Override rootkit ::/rootkits/override.php
- dev/grid-unhide-port- ! Override rootkit ::/rootkits/override.php
- # PHALANX rootkit
- usr/share/.home.ph1 ! PHALANX rootkit ::
- usr/share/.home.ph1/tty ! PHALANX rootkit ::
- etc/host.ph1 ! PHALANX rootkit ::
- bin/host.ph1 ! PHALANX rootkit ::
- # ZK rootkit (http://honeyblog.org/junkyard/reports/redhat-compromise2.pdf)
- # and from chkrootkit
- usr/share/.zk ! ZK rootkit ::
- usr/share/.zk/zk ! ZK rootkit ::
- etc/1ssue.net ! ZK rootkit ::
- usr/X11R6/.zk ! ZK rootkit ::
- usr/X11R6/.zk/xfs ! ZK rootkit ::
- usr/X11R6/.zk/echo ! ZK rootkit ::
- etc/sysconfig/console/load.zk ! ZK rootkit ::
- # Public sniffers
- */.linux-sniff ! Sniffer log ::
- */sniff-l0g ! Sniffer log ::
- */core_$ ! Sniffer log ::
- */tcp.log ! Sniffer log ::
- */chipsul ! Sniffer log ::
- */beshina ! Sniffer log ::
- */.owned$ | Sniffer log ::
- # Solaris worm -
- # http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen
- var/adm/.profile ! Solaris Worm ::
- var/spool/lp/.profile ! Solaris Worm ::
- var/adm/sa/.adm ! Solaris Worm ::
- var/spool/lp/admins/.lp ! Solaris Worm ::
- # XOR.DDoS
- etc/cron.hourly/gcc.sh ! XOR.DDoS :: http://blog.checkpoint.com/wp-content/uploads/2015/10/sb-report-threat-intelligence-groundhog.pdf
- lib/libudev.so ! XOR.DDoS :: http://blog.checkpoint.com/wp-content/uploads/2015/10/sb-report-threat-intelligence-groundhog.pdf
- lib/libudev.so.6 ! XOR.DDoS :: http://blog.checkpoint.com/wp-content/uploads/2015/10/sb-report-threat-intelligence-groundhog.pdf
- var/run/gcc.pid ! XOR.DDoS :: http://blog.checkpoint.com/wp-content/uploads/2015/10/sb-report-threat-intelligence-groundhog.pdf
- # LinuxMint Backdoor
- var/lib/man.cy ! LinuxMint.Backdoor ::
- # Versatile trojan
- etc/init.d/DbSecuritySpt ! Versatile Trojan ::
- # Linux/Mumblehard
- var/tmp/qCVwOWA ! Linux/Mumblehard :: http://www.welivesecurity.com/wp-content/uploads/2015/04/mumblehard.pdf
- # Linux/Moose
- var/elan2 ! Linux/Moose :: http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf
- dev/elan2 ! Linux/Moose :: http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf
- #Suspicious files
- etc/rc.d/init.d/rc.modules ! Suspicious file ::rootkits/Suspicious.php
- lib/ldd.so ! Suspicious file ::rootkits/Suspicious.php
- usr/man/muie ! Suspicious file ::rootkits/Suspicious.php
- usr/X11R6/include/pain ! Suspicious file ::rootkits/Suspicious.php
- usr/bin/sourcemask ! Suspicious file ::rootkits/Suspicious.php
- usr/bin/ras2xm ! Suspicious file ::rootkits/Suspicious.php
- usr/bin/ddc ! Suspicious file ::rootkits/Suspicious.php
- usr/bin/jdc ! Suspicious file ::rootkits/Suspicious.php
- usr/sbin/in.telnet ! Suspicious file ::rootkits/Suspicious.php
- sbin/vobiscum ! Suspicious file ::rootkits/Suspicious.php
- usr/sbin/jcd ! Suspicious file ::rootkits/Suspicious.php
- usr/sbin/atd2 ! Suspicious file ::rootkits/Suspicious.php
- usr/bin/ishit ! Suspicious file ::rootkits/Suspicious.php
- usr/bin/.etc ! Suspicious file ::rootkits/Suspicious.php
- usr/bin/xstat ! Suspicious file ::rootkits/Suspicious.php
- var/run/.tmp ! Suspicious file ::rootkits/Suspicious.php
- usr/man/man1/lib/.lib ! Suspicious file ::rootkits/Suspicious.php
- usr/man/man2/.man8 ! Suspicious file ::rootkits/Suspicious.php
- var/run/.pid ! Suspicious file ::rootkits/Suspicious.php
- lib/.so ! Suspicious file ::rootkits/Suspicious.php
- lib/.fx ! Suspicious file ::rootkits/Suspicious.php
- lib/lblip.tk ! Suspicious file ::rootkits/Suspicious.php
- usr/lib/.fx ! Suspicious file ::rootkits/Suspicious.php
- var/local/.lpd ! Suspicious file ::rootkits/Suspicious.php
- dev/rd/cdb ! Suspicious file ::rootkits/Suspicious.php
- dev/.rd/ ! Suspicious file ::rootkits/Suspicious.php
- usr/lib/pt07 ! Suspicious file ::rootkits/Suspicious.php
- usr/bin/atm ! Suspicious file ::rootkits/Suspicious.php
- tmp/.cheese ! Suspicious file ::rootkits/Suspicious.php
- dev/.arctic ! Suspicious file ::rootkits/Suspicious.php
- dev/.xman ! Suspicious file ::rootkits/Suspicious.php
- dev/.golf ! Suspicious file ::rootkits/Suspicious.php
- dev/srd0 ! Suspicious file ::rootkits/Suspicious.php
- dev/ptyzx ! Suspicious file ::rootkits/Suspicious.php
- dev/ptyzg ! Suspicious file ::rootkits/Suspicious.php
- dev/xdf1 ! Suspicious file ::rootkits/Suspicious.php
- dev/ttyop ! Suspicious file ::rootkits/Suspicious.php
- dev/ttyof ! Suspicious file ::rootkits/Suspicious.php
- dev/hd7 ! Suspicious file ::rootkits/Suspicious.php
- dev/hdx1 ! Suspicious file ::rootkits/Suspicious.php
- dev/hdx2 ! Suspicious file ::rootkits/Suspicious.php
- dev/xdf2 ! Suspicious file ::rootkits/Suspicious.php
- dev/ptyp ! Suspicious file ::rootkits/Suspicious.php
- dev/ptyr ! Suspicious file ::rootkits/Suspicious.php
- sbin/pback ! Suspicious file ::rootkits/Suspicious.php
- usr/man/man3/psid ! Suspicious file ::rootkits/Suspicious.php
- proc/kset ! Suspicious file ::rootkits/Suspicious.php
- usr/bin/gib ! Suspicious file ::rootkits/Suspicious.php
- usr/bin/snick ! Suspicious file ::rootkits/Suspicious.php
- usr/bin/kfl ! Suspicious file ::rootkits/Suspicious.php
- tmp/.dump ! Suspicious file ::rootkits/Suspicious.php
- var/.x ! Suspicious file ::rootkits/Suspicious.php
- var/.x/psotnic ! Suspicious file ::rootkits/Suspicious.php
- dev/shm/.ssh/known ! Suspicious file ::rootkits/Suspicious.php
- */.log ! Suspicious file ::rootkits/Suspicious.php
- */ecmf ! Suspicious file ::rootkits/Suspicious.php
- */mirkforce ! Suspicious file ::rootkits/Suspicious.php
- */mfclean ! Suspicious file ::rootkits/Suspicious.php