PageRenderTime 22ms CodeModel.GetById 17ms RepoModel.GetById 1ms app.codeStats 0ms

/src/rootcheck/db/rootkit_files.txt

https://bitbucket.org/reyjrar/ossec-hids
Plain Text | 468 lines | 346 code | 122 blank | 0 comment | 0 complexity | 5c51f04b4565ac6e07e21f4575ea92e5 MD5 | raw file
Possible License(s): GPL-2.0
  1. # @(#) $Id: ./src/rootcheck/db/rootkit_files.txt, 2011/09/08 dcid Exp $
  2. #
  3. # rootkit_files.txt, (C) Daniel B. Cid
  4. # Imported from the rootcheck project.
  5. #
  6. # Lines starting with '#' are not going to be read.
  7. # Blank lines are not going to be read too.
  8. #
  9. # Each line must be in the following format:
  10. # file_name ! Name ::Link to it
  11. # Files that start with an '*' are going to be searched
  12. # in the whole system.
  13. # Bash door
  14. tmp/mcliZokhb ! Bash door ::/rootkits/bashdoor.php
  15. tmp/mclzaKmfa ! Bash door ::/rootkits/bashdoor.php
  16. #adore Worm
  17. dev/.shit/red.tgz ! Adore Worm ::/rootkits/adorew.php
  18. usr/lib/libt ! Adore Worm ::/rootkits/adorew.php
  19. usr/bin/adore ! Adore Worm ::/rootkits/adorew.php
  20. */klogd.o ! Adore Worm ::/rootkits/adorew.php
  21. */red.tar ! Adore Worm ::/rootkits/adorew.php
  22. #T.R.K rootkit
  23. usr/bin/soucemask ! TRK rootkit ::/rootkits/trk.php
  24. usr/bin/sourcemask ! TRK rootkit ::/rootkits/trk.php
  25. # 55.808.A Worm
  26. tmp/.../a ! 55808.A Worm ::
  27. tmp/.../r ! 55808.A Worm ::
  28. # Volc Rootkit
  29. usr/lib/volc ! Volc Rootkit ::
  30. usr/bin/volc ! Volc Rootkit ::
  31. # Illogic
  32. lib/security/.config ! Illogic Rootkit ::rootkits/illogic.php
  33. usr/bin/sia ! Illogic Rootkit ::rootkits/illogic.php
  34. etc/ld.so.hash ! Illogic Rootkit ::rootkits/illogic.php
  35. */uconf.inv ! Illogic Rootkit ::rootkits/illogic.php
  36. #T0rnkit installed
  37. usr/src/.puta ! t0rn Rootkit ::rootkits/torn.php
  38. usr/info/.t0rn ! t0rn Rootkit ::rootkits/torn.php
  39. lib/ldlib.tk ! t0rn Rootkit ::rootkits/torn.php
  40. etc/ttyhash ! t0rn Rootkit ::rootkits/torn.php
  41. sbin/xlogin ! t0rn Rootkit ::rootkits/torn.php
  42. */ldlib.tk ! t0rn Rootkit ::rootkits/torn.php
  43. */.t0rn ! t0rn Rootkit ::rootkits/torn.php
  44. */.puta ! t0rn Rootkit ::rootkits/torn.php
  45. #RK17
  46. bin/rtty ! RK17 ::
  47. bin/squit ! RK17 ::
  48. sbin/pback ! RK17 ::
  49. proc/kset ! RK17 ::
  50. usr/src/linux/modules/autod.o ! RK17 ::
  51. usr/src/linux/modules/soundx.o ! RK17 ::
  52. # Ramen Worm
  53. usr/lib/ldlibps.so ! Ramen Worm ::rootkits/ramen.php
  54. usr/lib/ldlibns.so ! Ramen Worm ::rootkits/ramen.php
  55. usr/lib/ldliblogin.so ! Ramen Worm ::rootkits/ramen.php
  56. usr/src/.poop ! Ramen Worm ::rootkits/ramen.php
  57. tmp/ramen.tgz ! Ramen Worm ::rootkits/ramen.php
  58. etc/xinetd.d/asp ! Ramen Worm ::rootkits/ramen.php
  59. # Sadmind/IIS Worm
  60. dev/cuc ! Sadmind/IIS Worm ::
  61. #Monkit
  62. lib/defs ! Monkit ::
  63. usr/lib/libpikapp.a ! Monkit found ::
  64. #RSHA
  65. usr/bin/kr4p ! RSHA ::
  66. usr/bin/n3tstat ! RSHA ::
  67. usr/bin/chsh2 ! RSHA ::
  68. usr/bin/slice2 ! RSHA ::
  69. etc/rc.d/rsha ! RSHA ::
  70. #ShitC worm
  71. bin/home ! ShitC ::
  72. sbin/home ! ShitC ::
  73. usr/sbin/in.slogind ! ShitC ::
  74. #Omega Worm
  75. dev/chr ! Omega Worm ::
  76. #rh-sharpe
  77. bin/.ps ! Rh-Sharpe ::
  78. usr/bin/cleaner ! Rh-Sharpe ::
  79. usr/bin/slice ! Rh-Sharpe ::
  80. usr/bin/vadim ! Rh-Sharpe ::
  81. usr/bin/.ps ! Rh-Sharpe ::
  82. bin/.lpstree ! Rh-Sharpe ::
  83. usr/bin/.lpstree ! Rh-Sharpe ::
  84. usr/bin/lnetstat ! Rh-Sharpe ::
  85. bin/lnetstat ! Rh-Sharpe ::
  86. usr/bin/ldu ! Rh-Sharpe ::
  87. bin/ldu ! Rh-Sharpe ::
  88. usr/bin/lkillall ! Rh-Sharpe ::
  89. bin/lkillall ! Rh-Sharpe ::
  90. usr/include/rpcsvc/du ! Rh-Sharpe ::
  91. #Maniac RK
  92. usr/bin/mailrc ! Maniac RK ::
  93. #Showtee / romaniam
  94. usr/lib/.egcs ! Showtee ::
  95. usr/lib/.wormie ! Showtee ::
  96. usr/lib/.kinetic ! Showtee ::
  97. usr/lib/liblog.o ! Showtee ::
  98. usr/include/addr.h ! Showtee / Romanian rootkit ::
  99. usr/include/cron.h ! Showtee ::
  100. usr/include/file.h ! Showtee / Romaniam rootkit ::
  101. usr/include/syslogs.h ! Showtee / Romaniam rootkit ::
  102. usr/include/proc.h ! Showtee / Romaniam rootkit ::
  103. usr/include/chk.h ! Showtee ::
  104. usr/sbin/initdl ! Romanian rootkit ::
  105. usr/sbin/xntps ! Romanian rootkit ::
  106. #Optickit
  107. usr/bin/xchk ! Optickit ::
  108. usr/bin/xsf ! Optickit ::
  109. # LDP worm
  110. dev/.kork ! LDP Worm ::
  111. bin/.login ! LDP Worm ::
  112. bin/.ps ! LDP Worm ::
  113. # Telekit
  114. dev/hda06 ! TeLeKit trojan ::
  115. usr/info/libc1.so ! TeleKit trojan ::
  116. # Tribe bot
  117. dev/wd4 ! Tribe bot ::
  118. # LRK
  119. dev/ida/.inet ! LRK rootkit ::rootkits/lrk.php
  120. */bindshell ! LRK rootkit ::rootkits/lrk.php
  121. # Adore Rootkit
  122. etc/bin/ava ! Adore Rootkit ::
  123. etc/sbin/ava ! Adore Rootkit ::
  124. # Slapper
  125. tmp/.bugtraq ! Slapper installed ::
  126. tmp/.bugtraq.c ! Slapper installed ::
  127. tmp/.cinik ! Slapper installed ::
  128. tmp/.b ! Slapper installed ::
  129. tmp/httpd ! Slapper installed ::
  130. tmp./update ! Slapper installed ::
  131. tmp/.unlock ! Slapper installed ::
  132. tmp/.font-unix/.cinik ! Slapper installed ::
  133. tmp/.cinik ! Slapper installed ::
  134. # Scalper
  135. tmp/.uua ! Scalper installed ::
  136. tmp/.a ! Scalper installed ::
  137. # Knark
  138. proc/knark ! Knark Installed ::rootkits/knark.php
  139. dev/.pizda ! Knark Installed ::rootkits/knark.php
  140. dev/.pula ! Knark Installed ::rootkits/knark.php
  141. dev/.pula ! Knark Installed ::rootkits/knark.php
  142. */taskhack ! Knark Installed ::rootkits/knark.php
  143. */rootme ! Knark Installed ::rootkits/knark.php
  144. */nethide ! Knark Installed ::rootkits/knark.php
  145. */hidef ! Knark Installed ::rootkits/knark.php
  146. */ered ! Knark Installed ::rootkits/knark.php
  147. # Lion worm
  148. dev/.lib ! Lion Worm ::rootkits/lion.php
  149. dev/.lib/1iOn.sh ! Lion Worm ::rootkits/lion.php
  150. bin/mjy ! Lion Worm ::rootkits/lion.php
  151. bin/in.telnetd ! Lion Worm ::rootkits/lion.php
  152. usr/info/torn ! Lion Worm ::rootkits/lion.php
  153. */1iOn\.sh ! Lion Worm ::rootkits/lion.php
  154. # Bobkit
  155. usr/include/.../ ! Bobkit Rootkit ::rootkits/bobkit.php
  156. usr/lib/.../ ! Bobkit Rootkit ::rootkits/bobkit.php
  157. usr/sbin/.../ ! Bobkit Rootkit ::rootkits/bobkit.php
  158. usr/bin/ntpsx ! Bobkit Rootkit ::rootkits/bobkit.php
  159. tmp/.bkp ! Bobkit Rootkit ::rootkits/bobkit.php
  160. usr/lib/.bkit- ! Bobkit Rootkit ::rootkits/bobkit.php
  161. */bkit- ! Bobkit Rootkit ::rootkits/bobkit.php
  162. # Hidrootkit
  163. var/lib/games/.k ! Hidr00tkit ::
  164. # Ark
  165. dev/ptyxx ! Ark rootkit ::
  166. #Mithra Rootkit
  167. usr/lib/locale/uboot ! Mithra`s rootkit ::
  168. # Optickit
  169. usr/bin/xsf ! OpticKit ::
  170. usr/bin/xchk ! OpticKit ::
  171. # LOC rookit
  172. tmp/xp ! LOC rookit ::
  173. tmp/kidd0.c ! LOC rookit ::
  174. tmp/kidd0 ! LOC rookit ::
  175. # TC2 worm
  176. usr/info/.tc2k ! TC2 Worm ::
  177. usr/bin/util ! TC2 Worm ::
  178. usr/sbin/initcheck ! TC2 Worm ::
  179. usr/sbin/ldb ! TC2 Worm ::
  180. # Anonoiyng rootkit
  181. usr/sbin/mech ! Anonoiyng rootkit ::
  182. usr/sbin/kswapd ! Anonoiyng rootkit ::
  183. # SuckIt
  184. lib/.x ! SuckIt rootkit ::
  185. */hide.log ! Suckit rootkit ::
  186. lib/sk ! SuckIT rootkit ::
  187. # Beastkit
  188. usr/local/bin/bin ! Beastkit rootkit ::rootkits/beastkit.php
  189. usr/man/.man10 ! Beastkit rootkit ::rootkits/beastkit.php
  190. usr/sbin/arobia ! Beastkit rootkit ::rootkits/beastkit.php
  191. usr/lib/elm/arobia ! Beastkit rootkit ::rootkits/beastkit.php
  192. usr/local/bin/.../bktd ! Beastkit rootkit ::rootkits/beastkit.php
  193. # Tuxkit
  194. dev/tux ! Tuxkit rootkit ::rootkits/Tuxkit.php
  195. usr/bin/xsf ! Tuxkit rootkit ::rootkits/Tuxkit.php
  196. usr/bin/xchk ! Tuxkit rootkit ::rootkits/Tuxkit.php
  197. */.file ! Tuxkit rootkit ::rootkits/Tuxkit.php
  198. */.addr ! Tuxkit rootkit ::rootkits/Tuxkit.php
  199. # Old rootkits
  200. usr/include/rpc/ ../kit ! Old rootkits ::rootkits/Old.php
  201. usr/include/rpc/ ../kit2 ! Old rootkits ::rootkits/Old.php
  202. usr/doc/.sl ! Old rootkits ::rootkits/Old.php
  203. usr/doc/.sp ! Old rootkits ::rootkits/Old.php
  204. usr/doc/.statnet ! Old rootkits ::rootkits/Old.php
  205. usr/doc/.logdsys ! Old rootkits ::rootkits/Old.php
  206. usr/doc/.dpct ! Old rootkits ::rootkits/Old.php
  207. usr/doc/.gifnocfi ! Old rootkits ::rootkits/Old.php
  208. usr/doc/.dnif ! Old rootkits ::rootkits/Old.php
  209. usr/doc/.nigol ! Old rootkits ::rootkits/Old.php
  210. # Kenga3 rootkit
  211. usr/include/. . ! Kenga3 rootkit
  212. # ESRK rootkit
  213. usr/lib/tcl5.3 ! ESRK rootkit
  214. # Fu rootkit
  215. sbin/xc ! Fu rootkit
  216. usr/include/ivtype.h ! Fu rootkit
  217. bin/.lib ! Fu rootkit
  218. # ShKit rootkit
  219. lib/security/.config ! ShKit rootkit
  220. etc/ld.so.hash ! ShKit rootkit
  221. # AjaKit rootkit
  222. lib/.ligh.gh ! AjaKit rootkit
  223. lib/.libgh.gh ! AjaKit rootkit
  224. lib/.libgh-gh ! AjaKit rootkit
  225. dev/tux ! AjaKit rootkit
  226. dev/tux/.proc ! AjaKit rootkit
  227. dev/tux/.file ! AjaKit rootkit
  228. # zaRwT rootkit
  229. bin/imin ! zaRwT rootkit
  230. bin/imout ! zaRwT rootkit
  231. # Madalin rootkit
  232. usr/include/icekey.h ! Madalin rootkit
  233. usr/include/iceconf.h ! Madalin rootkit
  234. usr/include/iceseed.h ! Madalin rootkit
  235. # shv5 rootkit XXX http://www.askaboutskating.com/forum/.../shv5/setup
  236. lib/libsh.so ! shv5 rootkit
  237. usr/lib/libsh ! shv5 rootkit
  238. # BMBL rootkit (http://www.giac.com/practical/GSEC/Steve_Terrell_GSEC.pdf)
  239. etc/.bmbl ! BMBL rootkit
  240. etc/.bmbl/sk ! BMBL rootkit
  241. # rootedoor rootkit
  242. */rootedoor ! Rootedoor rootkit
  243. # 0vason rootkit
  244. */ovas0n ! ovas0n rootkit ::/rootkits/ovason.php
  245. */ovason ! ovas0n rootkit ::/rootkits/ovason.php
  246. # Rpimp reverse telnet
  247. */rpimp ! rpv21 (Reverse Pimpage)::/rootkits/rpimp.php
  248. # Cback Linux worm
  249. tmp/cback ! cback worm ::/rootkits/cback.php
  250. tmp/derfiq ! cback worm ::/rootkits/cback.php
  251. # aPa Kit (from rkhunter)
  252. usr/share/.aPa ! Apa Kit
  253. # enye-sec Rootkit
  254. etc/.enyelkmHIDE^IT.ko ! enye-sec Rootkit ::/rootkits/enye-sec.php
  255. # Override Rootkit
  256. dev/grid-hide-pid- ! Override rootkit ::/rootkits/override.php
  257. dev/grid-unhide-pid- ! Override rootkit ::/rootkits/override.php
  258. dev/grid-show-pids ! Override rootkit ::/rootkits/override.php
  259. dev/grid-hide-port- ! Override rootkit ::/rootkits/override.php
  260. dev/grid-unhide-port- ! Override rootkit ::/rootkits/override.php
  261. # PHALANX rootkit
  262. usr/share/.home* ! PHALANX rootkit ::
  263. usr/share/.home*/tty ! PHALANX rootkit ::
  264. etc/host.ph1 ! PHALANX rootkit ::
  265. bin/host.ph1 ! PHALANX rootkit ::
  266. # ZK rootkit (http://honeyblog.org/junkyard/reports/redhat-compromise2.pdf)
  267. # and from chkrootkit
  268. usr/share/.zk ! ZK rootkit ::
  269. usr/share/.zk/zk ! ZK rootkit ::
  270. etc/1ssue.net ! ZK rootkit ::
  271. usr/X11R6/.zk ! ZK rootkit ::
  272. usr/X11R6/.zk/xfs ! ZK rootkit ::
  273. usr/X11R6/.zk/echo ! ZK rootkit ::
  274. etc/sysconfig/console/load.zk ! ZK rootkit ::
  275. # Public sniffers
  276. */.linux-sniff ! Sniffer log ::
  277. */sniff-l0g ! Sniffer log ::
  278. */core_$ ! Sniffer log ::
  279. */tcp.log ! Sniffer log ::
  280. */chipsul ! Sniffer log ::
  281. */beshina ! Sniffer log ::
  282. */.owned$ | Sniffer log ::
  283. # Solaris worm -
  284. # http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen
  285. var/adm/.profile ! Solaris Worm ::
  286. var/spool/lp/.profile ! Solaris Worm ::
  287. var/adm/sa/.adm ! Solaris Worm ::
  288. var/spool/lp/admins/.lp ! Solaris Worm ::
  289. #Suspicious files
  290. etc/rc.d/init.d/rc.modules ! Suspicious file ::rootkits/Suspicious.php
  291. lib/ldd.so ! Suspicious file ::rootkits/Suspicious.php
  292. usr/man/muie ! Suspicious file ::rootkits/Suspicious.php
  293. usr/X11R6/include/pain ! Suspicious file ::rootkits/Suspicious.php
  294. usr/bin/sourcemask ! Suspicious file ::rootkits/Suspicious.php
  295. usr/bin/ras2xm ! Suspicious file ::rootkits/Suspicious.php
  296. usr/bin/ddc ! Suspicious file ::rootkits/Suspicious.php
  297. usr/bin/jdc ! Suspicious file ::rootkits/Suspicious.php
  298. usr/sbin/in.telnet ! Suspicious file ::rootkits/Suspicious.php
  299. sbin/vobiscum ! Suspicious file ::rootkits/Suspicious.php
  300. usr/sbin/jcd ! Suspicious file ::rootkits/Suspicious.php
  301. usr/sbin/atd2 ! Suspicious file ::rootkits/Suspicious.php
  302. usr/bin/ishit ! Suspicious file ::rootkits/Suspicious.php
  303. usr/bin/.etc ! Suspicious file ::rootkits/Suspicious.php
  304. usr/bin/xstat ! Suspicious file ::rootkits/Suspicious.php
  305. var/run/.tmp ! Suspicious file ::rootkits/Suspicious.php
  306. usr/man/man1/lib/.lib ! Suspicious file ::rootkits/Suspicious.php
  307. usr/man/man2/.man8 ! Suspicious file ::rootkits/Suspicious.php
  308. var/run/.pid ! Suspicious file ::rootkits/Suspicious.php
  309. lib/.so ! Suspicious file ::rootkits/Suspicious.php
  310. lib/.fx ! Suspicious file ::rootkits/Suspicious.php
  311. lib/lblip.tk ! Suspicious file ::rootkits/Suspicious.php
  312. usr/lib/.fx ! Suspicious file ::rootkits/Suspicious.php
  313. var/local/.lpd ! Suspicious file ::rootkits/Suspicious.php
  314. dev/rd/cdb ! Suspicious file ::rootkits/Suspicious.php
  315. dev/.rd/ ! Suspicious file ::rootkits/Suspicious.php
  316. usr/lib/pt07 ! Suspicious file ::rootkits/Suspicious.php
  317. usr/bin/atm ! Suspicious file ::rootkits/Suspicious.php
  318. tmp/.cheese ! Suspicious file ::rootkits/Suspicious.php
  319. dev/.arctic ! Suspicious file ::rootkits/Suspicious.php
  320. dev/.xman ! Suspicious file ::rootkits/Suspicious.php
  321. dev/.golf ! Suspicious file ::rootkits/Suspicious.php
  322. dev/srd0 ! Suspicious file ::rootkits/Suspicious.php
  323. dev/ptyzx ! Suspicious file ::rootkits/Suspicious.php
  324. dev/ptyzg ! Suspicious file ::rootkits/Suspicious.php
  325. dev/xdf1 ! Suspicious file ::rootkits/Suspicious.php
  326. dev/ttyop ! Suspicious file ::rootkits/Suspicious.php
  327. dev/ttyof ! Suspicious file ::rootkits/Suspicious.php
  328. dev/hd7 ! Suspicious file ::rootkits/Suspicious.php
  329. dev/hdx1 ! Suspicious file ::rootkits/Suspicious.php
  330. dev/hdx2 ! Suspicious file ::rootkits/Suspicious.php
  331. dev/xdf2 ! Suspicious file ::rootkits/Suspicious.php
  332. dev/ptyp ! Suspicious file ::rootkits/Suspicious.php
  333. dev/ptyr ! Suspicious file ::rootkits/Suspicious.php
  334. sbin/pback ! Suspicious file ::rootkits/Suspicious.php
  335. usr/man/man3/psid ! Suspicious file ::rootkits/Suspicious.php
  336. proc/kset ! Suspicious file ::rootkits/Suspicious.php
  337. usr/bin/gib ! Suspicious file ::rootkits/Suspicious.php
  338. usr/bin/snick ! Suspicious file ::rootkits/Suspicious.php
  339. usr/bin/kfl ! Suspicious file ::rootkits/Suspicious.php
  340. tmp/.dump ! Suspicious file ::rootkits/Suspicious.php
  341. var/.x ! Suspicious file ::rootkits/Suspicious.php
  342. var/.x/psotnic ! Suspicious file ::rootkits/Suspicious.php
  343. */.log ! Suspicious file ::rootkits/Suspicious.php
  344. */ecmf ! Suspicious file ::rootkits/Suspicious.php
  345. */mirkforce ! Suspicious file ::rootkits/Suspicious.php
  346. */mfclean ! Suspicious file ::rootkits/Suspicious.php