PageRenderTime 24ms CodeModel.GetById 13ms app.highlight 6ms RepoModel.GetById 1ms app.codeStats 0ms

/src/rootcheck/db/rootkit_files.txt

https://bitbucket.org/jrossi/ossec-hids
Plain Text | 467 lines | 346 code | 121 blank | 0 comment | 0 complexity | 822293b116e6a08a746241d52dc57513 MD5 | raw file
  1# @(#) $Id$
  2#
  3# rootkit_files.txt, (C) Daniel B. Cid
  4# Imported from the rootcheck project.
  5#
  6# Lines starting with '#' are not going to be read.
  7# Blank lines are not going to be read too.
  8# 
  9# Each line must be in the following format:
 10# file_name ! Name ::Link to it
 11
 12# Files that start with an '*' are going to be searched
 13# in the whole system.
 14
 15
 16# Bash door
 17tmp/mcliZokhb			! Bash door ::/rootkits/bashdoor.php
 18tmp/mclzaKmfa			! Bash door ::/rootkits/bashdoor.php
 19
 20
 21#adore Worm
 22dev/.shit/red.tgz		! Adore Worm ::/rootkits/adorew.php
 23usr/lib/libt			! Adore Worm ::/rootkits/adorew.php
 24usr/bin/adore			! Adore Worm ::/rootkits/adorew.php
 25*/klogd.o               ! Adore Worm ::/rootkits/adorew.php
 26*/red.tar               ! Adore Worm ::/rootkits/adorew.php
 27
 28
 29#T.R.K rootkit
 30usr/bin/soucemask		! TRK rootkit ::/rootkits/trk.php
 31usr/bin/sourcemask		! TRK rootkit ::/rootkits/trk.php
 32
 33
 34# 55.808.A Worm
 35tmp/.../a			    ! 55808.A Worm ::
 36tmp/.../r			    ! 55808.A Worm ::
 37
 38
 39# Volc Rootkit
 40usr/lib/volc			! Volc Rootkit ::
 41usr/bin/volc 			! Volc Rootkit ::
 42
 43
 44# Illogic
 45lib/security/.config	! Illogic Rootkit ::rootkits/illogic.php
 46usr/bin/sia			    ! Illogic Rootkit ::rootkits/illogic.php
 47etc/ld.so.hash			! Illogic Rootkit ::rootkits/illogic.php
 48*/uconf.inv 			! Illogic Rootkit ::rootkits/illogic.php
 49
 50
 51#T0rnkit installed
 52usr/src/.puta			! t0rn Rootkit ::rootkits/torn.php 
 53usr/info/.t0rn			! t0rn Rootkit ::rootkits/torn.php
 54lib/ldlib.tk			! t0rn Rootkit ::rootkits/torn.php
 55etc/ttyhash			    ! t0rn Rootkit ::rootkits/torn.php
 56sbin/xlogin			    ! t0rn Rootkit ::rootkits/torn.php
 57*/ldlib.tk              ! t0rn Rootkit ::rootkits/torn.php
 58*/.t0rn                 ! t0rn Rootkit ::rootkits/torn.php
 59*/.puta                 ! t0rn Rootkit ::rootkits/torn.php
 60
 61
 62#RK17
 63bin/rtty			! RK17 ::
 64bin/squit			! RK17 ::
 65sbin/pback			! RK17 ::
 66proc/kset			! RK17 ::
 67usr/src/linux/modules/autod.o	! RK17 ::
 68usr/src/linux/modules/soundx.o	! RK17 ::
 69
 70
 71# Ramen Worm
 72usr/lib/ldlibps.so 		! Ramen Worm ::rootkits/ramen.php
 73usr/lib/ldlibns.so 		! Ramen Worm ::rootkits/ramen.php
 74usr/lib/ldliblogin.so 	! Ramen Worm ::rootkits/ramen.php
 75usr/src/.poop			! Ramen Worm ::rootkits/ramen.php
 76tmp/ramen.tgz			! Ramen Worm ::rootkits/ramen.php
 77etc/xinetd.d/asp		! Ramen Worm ::rootkits/ramen.php
 78
 79
 80# Sadmind/IIS Worm
 81dev/cuc				    ! Sadmind/IIS Worm ::
 82
 83
 84#Monkit
 85lib/defs		    	! Monkit ::
 86usr/lib/libpikapp.a		! Monkit found ::
 87
 88
 89#RSHA
 90usr/bin/kr4p 			! RSHA ::
 91usr/bin/n3tstat			! RSHA ::
 92usr/bin/chsh2			! RSHA ::
 93usr/bin/slice2			! RSHA ::
 94etc/rc.d/rsha			! RSHA ::
 95
 96
 97#ShitC worm
 98bin/home			    ! ShitC ::
 99sbin/home			    ! ShitC ::
100usr/sbin/in.slogind		! ShitC ::
101
102
103#Omega Worm
104dev/chr				    ! Omega Worm ::
105
106
107#rh-sharpe
108bin/.ps				    ! Rh-Sharpe ::
109usr/bin/cleaner			! Rh-Sharpe ::
110usr/bin/slice			! Rh-Sharpe ::
111usr/bin/vadim			! Rh-Sharpe ::
112usr/bin/.ps			    ! Rh-Sharpe ::
113bin/.lpstree			! Rh-Sharpe ::
114usr/bin/.lpstree		! Rh-Sharpe ::
115usr/bin/lnetstat		! Rh-Sharpe ::
116bin/lnetstat			! Rh-Sharpe ::
117usr/bin/ldu			    ! Rh-Sharpe ::
118bin/ldu				    ! Rh-Sharpe ::
119usr/bin/lkillall		! Rh-Sharpe ::
120bin/lkillall			! Rh-Sharpe ::
121usr/include/rpcsvc/du	! Rh-Sharpe ::
122
123
124#Maniac RK 
125usr/bin/mailrc			! Maniac RK ::
126
127
128#Showtee / romaniam
129usr/lib/.egcs			! Showtee ::
130usr/lib/.wormie			! Showtee ::
131usr/lib/.kinetic		! Showtee ::
132usr/lib/liblog.o		! Showtee ::
133usr/include/addr.h		! Showtee / Romanian rootkit ::
134usr/include/cron.h		! Showtee ::
135usr/include/file.h		! Showtee / Romaniam rootkit ::
136usr/include/syslogs.h	! Showtee / Romaniam rootkit ::
137usr/include/proc.h		! Showtee / Romaniam rootkit ::
138usr/include/chk.h		! Showtee ::
139usr/sbin/initdl			! Romanian rootkit ::
140usr/sbin/xntps			! Romanian rootkit ::
141
142
143#Optickit
144usr/bin/xchk			! Optickit ::
145usr/bin/xsf			    ! Optickit ::
146
147
148# LDP worm 
149dev/.kork			! LDP Worm ::
150bin/.login			! LDP Worm ::
151bin/.ps				! LDP Worm ::
152
153
154# Telekit
155dev/hda06			! TeLeKit trojan ::
156usr/info/libc1.so 		! TeleKit trojan ::
157
158
159# Tribe bot
160dev/wd4 			! Tribe bot ::
161
162
163# LRK
164dev/ida/.inet 			! LRK rootkit ::rootkits/lrk.php
165*/bindshell 			! LRK rootkit ::rootkits/lrk.php
166
167
168# Adore Rootkit
169etc/bin/ava 			! Adore Rootkit ::
170etc/sbin/ava 			! Adore Rootkit ::
171
172
173# Slapper
174tmp/.bugtraq 			! Slapper installed ::
175tmp/.bugtraq.c 			! Slapper installed ::
176tmp/.cinik 			    ! Slapper installed ::
177tmp/.b 				    ! Slapper installed ::
178tmp/httpd 			    ! Slapper installed ::
179tmp./update 			! Slapper installed ::
180tmp/.unlock 			! Slapper installed ::
181tmp/.font-unix/.cinik   ! Slapper installed ::
182tmp/.cinik              ! Slapper installed ::
183
184
185
186# Scalper
187tmp/.uua 			! Scalper installed ::
188tmp/.a 				! Scalper installed ::
189
190
191# Knark 
192proc/knark 			! Knark Installed ::rootkits/knark.php
193dev/.pizda 			! Knark Installed ::rootkits/knark.php
194dev/.pula 			! Knark Installed ::rootkits/knark.php
195dev/.pula 			! Knark Installed ::rootkits/knark.php
196*/taskhack          ! Knark Installed ::rootkits/knark.php
197*/rootme            ! Knark Installed ::rootkits/knark.php
198*/nethide           ! Knark Installed ::rootkits/knark.php
199*/hidef             ! Knark Installed ::rootkits/knark.php
200*/ered              ! Knark Installed ::rootkits/knark.php
201
202
203# Lion worm
204dev/.lib 			! Lion Worm ::rootkits/lion.php
205dev/.lib/1iOn.sh 	! Lion Worm ::rootkits/lion.php
206bin/mjy				! Lion Worm ::rootkits/lion.php
207bin/in.telnetd		! Lion Worm ::rootkits/lion.php
208usr/info/torn		! Lion Worm ::rootkits/lion.php
209*/1iOn\.sh  		! Lion Worm ::rootkits/lion.php
210
211
212# Bobkit
213usr/include/.../		! Bobkit Rootkit ::rootkits/bobkit.php
214usr/lib/.../			! Bobkit Rootkit ::rootkits/bobkit.php
215usr/sbin/.../			! Bobkit Rootkit ::rootkits/bobkit.php
216usr/bin/ntpsx			! Bobkit Rootkit ::rootkits/bobkit.php
217tmp/.bkp			    ! Bobkit Rootkit ::rootkits/bobkit.php
218usr/lib/.bkit-		    ! Bobkit Rootkit ::rootkits/bobkit.php
219*/bkit-	    		    ! Bobkit Rootkit ::rootkits/bobkit.php
220
221# Hidrootkit
222var/lib/games/.k		! Hidr00tkit ::
223
224 
225# Ark
226dev/ptyxx			! Ark rootkit ::
227
228
229#Mithra Rootkit
230usr/lib/locale/uboot 		! Mithra`s rootkit ::
231
232
233# Optickit
234usr/bin/xsf 			! OpticKit ::
235usr/bin/xchk 			! OpticKit ::
236
237
238# LOC rookit
239tmp/xp 				! LOC rookit ::
240tmp/kidd0.c 			! LOC rookit ::
241tmp/kidd0 			! LOC rookit ::
242
243
244# TC2 worm
245usr/info/.tc2k	 		! TC2 Worm ::
246usr/bin/util 			! TC2 Worm ::
247usr/sbin/initcheck 		! TC2 Worm ::
248usr/sbin/ldb 			! TC2 Worm ::
249
250
251# Anonoiyng rootkit
252usr/sbin/mech 			! Anonoiyng rootkit ::
253usr/sbin/kswapd 		! Anonoiyng rootkit ::
254
255
256# SuckIt
257lib/.x				! SuckIt rootkit ::
258*/hide.log          ! Suckit rootkit ::
259lib/sk              ! SuckIT rootkit ::
260
261
262# Beastkit
263usr/local/bin/bin		! Beastkit rootkit ::rootkits/beastkit.php
264usr/man/.man10			! Beastkit rootkit ::rootkits/beastkit.php
265usr/sbin/arobia			! Beastkit rootkit ::rootkits/beastkit.php
266usr/lib/elm/arobia		! Beastkit rootkit ::rootkits/beastkit.php
267usr/local/bin/.../bktd	! Beastkit rootkit ::rootkits/beastkit.php
268
269
270# Tuxkit
271dev/tux				! Tuxkit rootkit ::rootkits/Tuxkit.php
272usr/bin/xsf			! Tuxkit rootkit ::rootkits/Tuxkit.php
273usr/bin/xchk		! Tuxkit rootkit ::rootkits/Tuxkit.php
274*/.file             ! Tuxkit rootkit ::rootkits/Tuxkit.php
275*/.addr             ! Tuxkit rootkit ::rootkits/Tuxkit.php
276
277
278# Old rootkits
279usr/include/rpc/ ../kit		! Old rootkits ::rootkits/Old.php
280usr/include/rpc/ ../kit2	! Old rootkits ::rootkits/Old.php
281usr/doc/.sl			    ! Old rootkits ::rootkits/Old.php
282usr/doc/.sp			    ! Old rootkits ::rootkits/Old.php
283usr/doc/.statnet		! Old rootkits ::rootkits/Old.php
284usr/doc/.logdsys		! Old rootkits ::rootkits/Old.php
285usr/doc/.dpct			! Old rootkits ::rootkits/Old.php
286usr/doc/.gifnocfi		! Old rootkits ::rootkits/Old.php
287usr/doc/.dnif			! Old rootkits ::rootkits/Old.php
288usr/doc/.nigol			! Old rootkits ::rootkits/Old.php
289
290
291# Kenga3 rootkit
292usr/include/. .         ! Kenga3 rootkit
293
294
295# ESRK rootkit
296usr/lib/tcl5.3          ! ESRK rootkit
297
298
299# Fu rootkit
300sbin/xc                 ! Fu rootkit
301usr/include/ivtype.h    ! Fu rootkit
302bin/.lib                ! Fu rootkit
303
304
305# ShKit rootkit
306lib/security/.config    ! ShKit rootkit
307etc/ld.so.hash          ! ShKit rootkit
308
309
310# AjaKit rootkit
311lib/.ligh.gh            ! AjaKit rootkit
312lib/.libgh.gh           ! AjaKit rootkit
313lib/.libgh-gh           ! AjaKit rootkit
314dev/tux                 ! AjaKit rootkit
315dev/tux/.proc           ! AjaKit rootkit
316dev/tux/.file           ! AjaKit rootkit
317
318
319# zaRwT rootkit
320bin/imin                ! zaRwT rootkit
321bin/imout               ! zaRwT rootkit
322
323
324# Madalin rootkit
325usr/include/icekey.h    ! Madalin rootkit
326usr/include/iceconf.h   ! Madalin rootkit
327usr/include/iceseed.h   ! Madalin rootkit
328
329
330# shv5 rootkit XXX http://www.askaboutskating.com/forum/.../shv5/setup
331lib/libsh.so            ! shv5 rootkit
332usr/lib/libsh           ! shv5 rootkit
333
334
335# BMBL rootkit (http://www.giac.com/practical/GSEC/Steve_Terrell_GSEC.pdf)
336etc/.bmbl               ! BMBL rootkit
337etc/.bmbl/sk            ! BMBL rootkit
338
339
340# rootedoor rootkit
341*/rootedoor             ! Rootedoor rootkit
342
343
344# 0vason rootkit
345*/ovas0n                ! ovas0n rootkit ::/rootkits/ovason.php
346*/ovason                ! ovas0n rootkit ::/rootkits/ovason.php
347
348
349# Rpimp reverse telnet
350*/rpimp                 ! rpv21 (Reverse Pimpage)::/rootkits/rpimp.php
351
352
353# Cback Linux worm
354tmp/cback              ! cback worm ::/rootkits/cback.php
355tmp/derfiq             ! cback worm ::/rootkits/cback.php
356
357
358# aPa Kit (from rkhunter)
359usr/share/.aPa          ! Apa Kit
360
361
362# enye-sec Rootkit
363etc/.enyelkmHIDE^IT.ko  ! enye-sec Rootkit ::/rootkits/enye-sec.php
364
365
366# Override Rootkit
367dev/grid-hide-pid-     ! Override rootkit ::/rootkits/override.php
368dev/grid-unhide-pid-   ! Override rootkit ::/rootkits/override.php
369dev/grid-show-pids     ! Override rootkit ::/rootkits/override.php
370dev/grid-hide-port-    ! Override rootkit ::/rootkits/override.php
371dev/grid-unhide-port-  ! Override rootkit ::/rootkits/override.php
372
373
374# PHALANX rootkit
375usr/share/.home.ph1     ! PHALANX rootkit ::
376usr/share/.home.ph1/tty ! PHALANX rootkit ::
377etc/host.ph1            ! PHALANX rootkit ::
378bin/host.ph1            ! PHALANX rootkit ::
379
380
381# ZK rootkit (http://honeyblog.org/junkyard/reports/redhat-compromise2.pdf)
382# and from chkrootkit
383usr/share/.zk                   ! ZK rootkit ::
384usr/share/.zk/zk                ! ZK rootkit ::
385etc/1ssue.net                   ! ZK rootkit ::
386usr/X11R6/.zk                   ! ZK rootkit ::
387usr/X11R6/.zk/xfs               ! ZK rootkit ::
388usr/X11R6/.zk/echo              ! ZK rootkit ::
389etc/sysconfig/console/load.zk   ! ZK rootkit ::
390
391
392# Public sniffers
393*/.linux-sniff          ! Sniffer log ::
394*/sniff-l0g             ! Sniffer log ::
395*/core_$                ! Sniffer log ::
396*/tcp.log               ! Sniffer log ::
397*/chipsul               ! Sniffer log ::
398*/beshina               ! Sniffer log ::
399*/.owned$               | Sniffer log ::
400
401
402# Solaris worm -
403# http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen
404var/adm/.profile        ! Solaris Worm ::
405var/spool/lp/.profile   ! Solaris Worm ::
406var/adm/sa/.adm         ! Solaris Worm ::
407var/spool/lp/admins/.lp ! Solaris Worm ::
408
409
410#Suspicious files
411etc/rc.d/init.d/rc.modules	! Suspicious file ::rootkits/Suspicious.php
412lib/ldd.so			        ! Suspicious file ::rootkits/Suspicious.php
413usr/man/muie			    ! Suspicious file ::rootkits/Suspicious.php
414usr/X11R6/include/pain		! Suspicious file ::rootkits/Suspicious.php
415usr/bin/sourcemask 		    ! Suspicious file ::rootkits/Suspicious.php
416usr/bin/ras2xm			    ! Suspicious file ::rootkits/Suspicious.php
417usr/bin/ddc			        ! Suspicious file ::rootkits/Suspicious.php
418usr/bin/jdc			        ! Suspicious file ::rootkits/Suspicious.php
419usr/sbin/in.telnet		    ! Suspicious file ::rootkits/Suspicious.php
420sbin/vobiscum			    ! Suspicious file ::rootkits/Suspicious.php
421usr/sbin/jcd			    ! Suspicious file ::rootkits/Suspicious.php
422usr/sbin/atd2			    ! Suspicious file ::rootkits/Suspicious.php
423usr/bin/ishit               ! Suspicious file ::rootkits/Suspicious.php
424usr/bin/.etc	            ! Suspicious file ::rootkits/Suspicious.php
425usr/bin/xstat			    ! Suspicious file ::rootkits/Suspicious.php
426var/run/.tmp			    ! Suspicious file ::rootkits/Suspicious.php
427usr/man/man1/lib/.lib		! Suspicious file ::rootkits/Suspicious.php
428usr/man/man2/.man8 		    ! Suspicious file ::rootkits/Suspicious.php
429var/run/.pid			    ! Suspicious file ::rootkits/Suspicious.php
430lib/.so				        ! Suspicious file ::rootkits/Suspicious.php
431lib/.fx				        ! Suspicious file ::rootkits/Suspicious.php
432lib/lblip.tk			    ! Suspicious file ::rootkits/Suspicious.php
433usr/lib/.fx			        ! Suspicious file ::rootkits/Suspicious.php
434var/local/.lpd			    ! Suspicious file ::rootkits/Suspicious.php
435dev/rd/cdb			        ! Suspicious file ::rootkits/Suspicious.php
436dev/.rd/			        ! Suspicious file ::rootkits/Suspicious.php
437usr/lib/pt07			    ! Suspicious file ::rootkits/Suspicious.php
438usr/bin/atm			        ! Suspicious file ::rootkits/Suspicious.php
439tmp/.cheese			        ! Suspicious file ::rootkits/Suspicious.php
440dev/.arctic			        ! Suspicious file ::rootkits/Suspicious.php
441dev/.xman			        ! Suspicious file ::rootkits/Suspicious.php
442dev/.golf			        ! Suspicious file ::rootkits/Suspicious.php
443dev/srd0			        ! Suspicious file ::rootkits/Suspicious.php
444dev/ptyzx			        ! Suspicious file ::rootkits/Suspicious.php
445dev/ptyzg			        ! Suspicious file ::rootkits/Suspicious.php
446dev/xdf1			        ! Suspicious file ::rootkits/Suspicious.php
447dev/ttyop			        ! Suspicious file ::rootkits/Suspicious.php
448dev/ttyof			        ! Suspicious file ::rootkits/Suspicious.php
449dev/hd7				        ! Suspicious file ::rootkits/Suspicious.php
450dev/hdx1			        ! Suspicious file ::rootkits/Suspicious.php
451dev/hdx2			        ! Suspicious file ::rootkits/Suspicious.php
452dev/xdf2			        ! Suspicious file ::rootkits/Suspicious.php
453dev/ptyp			        ! Suspicious file ::rootkits/Suspicious.php
454dev/ptyr			        ! Suspicious file ::rootkits/Suspicious.php
455sbin/pback                  ! Suspicious file ::rootkits/Suspicious.php
456usr/man/man3/psid           ! Suspicious file ::rootkits/Suspicious.php
457proc/kset                   ! Suspicious file ::rootkits/Suspicious.php
458usr/bin/gib                 ! Suspicious file ::rootkits/Suspicious.php
459usr/bin/snick               ! Suspicious file ::rootkits/Suspicious.php
460usr/bin/kfl                 ! Suspicious file ::rootkits/Suspicious.php
461tmp/.dump                   ! Suspicious file ::rootkits/Suspicious.php
462var/.x                      ! Suspicious file ::rootkits/Suspicious.php
463var/.x/psotnic              ! Suspicious file ::rootkits/Suspicious.php
464*/.log                      ! Suspicious file ::rootkits/Suspicious.php
465*/ecmf                      ! Suspicious file ::rootkits/Suspicious.php
466*/mirkforce                 ! Suspicious file ::rootkits/Suspicious.php
467*/mfclean                   ! Suspicious file ::rootkits/Suspicious.php