PageRenderTime 22ms CodeModel.GetById 12ms app.highlight 6ms RepoModel.GetById 1ms app.codeStats 0ms

/src/rootcheck/db/rootkit_files.txt

https://bitbucket.org/kunthar/ossec-hids
Plain Text | 468 lines | 346 code | 122 blank | 0 comment | 0 complexity | 727f5e88a6516ce96926fc423d42a334 MD5 | raw file
  1# @(#) $Id: ./src/rootcheck/db/rootkit_files.txt, 2011/09/08 dcid Exp $
  2
  3#
  4# rootkit_files.txt, (C) Daniel B. Cid
  5# Imported from the rootcheck project.
  6#
  7# Lines starting with '#' are not going to be read.
  8# Blank lines are not going to be read too.
  9# 
 10# Each line must be in the following format:
 11# file_name ! Name ::Link to it
 12
 13# Files that start with an '*' are going to be searched
 14# in the whole system.
 15
 16
 17# Bash door
 18tmp/mcliZokhb			! Bash door ::/rootkits/bashdoor.php
 19tmp/mclzaKmfa			! Bash door ::/rootkits/bashdoor.php
 20
 21
 22#adore Worm
 23dev/.shit/red.tgz		! Adore Worm ::/rootkits/adorew.php
 24usr/lib/libt			! Adore Worm ::/rootkits/adorew.php
 25usr/bin/adore			! Adore Worm ::/rootkits/adorew.php
 26*/klogd.o               ! Adore Worm ::/rootkits/adorew.php
 27*/red.tar               ! Adore Worm ::/rootkits/adorew.php
 28
 29
 30#T.R.K rootkit
 31usr/bin/soucemask		! TRK rootkit ::/rootkits/trk.php
 32usr/bin/sourcemask		! TRK rootkit ::/rootkits/trk.php
 33
 34
 35# 55.808.A Worm
 36tmp/.../a			    ! 55808.A Worm ::
 37tmp/.../r			    ! 55808.A Worm ::
 38
 39
 40# Volc Rootkit
 41usr/lib/volc			! Volc Rootkit ::
 42usr/bin/volc 			! Volc Rootkit ::
 43
 44
 45# Illogic
 46lib/security/.config	! Illogic Rootkit ::rootkits/illogic.php
 47usr/bin/sia			    ! Illogic Rootkit ::rootkits/illogic.php
 48etc/ld.so.hash			! Illogic Rootkit ::rootkits/illogic.php
 49*/uconf.inv 			! Illogic Rootkit ::rootkits/illogic.php
 50
 51
 52#T0rnkit installed
 53usr/src/.puta			! t0rn Rootkit ::rootkits/torn.php 
 54usr/info/.t0rn			! t0rn Rootkit ::rootkits/torn.php
 55lib/ldlib.tk			! t0rn Rootkit ::rootkits/torn.php
 56etc/ttyhash			    ! t0rn Rootkit ::rootkits/torn.php
 57sbin/xlogin			    ! t0rn Rootkit ::rootkits/torn.php
 58*/ldlib.tk              ! t0rn Rootkit ::rootkits/torn.php
 59*/.t0rn                 ! t0rn Rootkit ::rootkits/torn.php
 60*/.puta                 ! t0rn Rootkit ::rootkits/torn.php
 61
 62
 63#RK17
 64bin/rtty			! RK17 ::
 65bin/squit			! RK17 ::
 66sbin/pback			! RK17 ::
 67proc/kset			! RK17 ::
 68usr/src/linux/modules/autod.o	! RK17 ::
 69usr/src/linux/modules/soundx.o	! RK17 ::
 70
 71
 72# Ramen Worm
 73usr/lib/ldlibps.so 		! Ramen Worm ::rootkits/ramen.php
 74usr/lib/ldlibns.so 		! Ramen Worm ::rootkits/ramen.php
 75usr/lib/ldliblogin.so 	! Ramen Worm ::rootkits/ramen.php
 76usr/src/.poop			! Ramen Worm ::rootkits/ramen.php
 77tmp/ramen.tgz			! Ramen Worm ::rootkits/ramen.php
 78etc/xinetd.d/asp		! Ramen Worm ::rootkits/ramen.php
 79
 80
 81# Sadmind/IIS Worm
 82dev/cuc				    ! Sadmind/IIS Worm ::
 83
 84
 85#Monkit
 86lib/defs		    	! Monkit ::
 87usr/lib/libpikapp.a		! Monkit found ::
 88
 89
 90#RSHA
 91usr/bin/kr4p 			! RSHA ::
 92usr/bin/n3tstat			! RSHA ::
 93usr/bin/chsh2			! RSHA ::
 94usr/bin/slice2			! RSHA ::
 95etc/rc.d/rsha			! RSHA ::
 96
 97
 98#ShitC worm
 99bin/home			    ! ShitC ::
100sbin/home			    ! ShitC ::
101usr/sbin/in.slogind		! ShitC ::
102
103
104#Omega Worm
105dev/chr				    ! Omega Worm ::
106
107
108#rh-sharpe
109bin/.ps				    ! Rh-Sharpe ::
110usr/bin/cleaner			! Rh-Sharpe ::
111usr/bin/slice			! Rh-Sharpe ::
112usr/bin/vadim			! Rh-Sharpe ::
113usr/bin/.ps			    ! Rh-Sharpe ::
114bin/.lpstree			! Rh-Sharpe ::
115usr/bin/.lpstree		! Rh-Sharpe ::
116usr/bin/lnetstat		! Rh-Sharpe ::
117bin/lnetstat			! Rh-Sharpe ::
118usr/bin/ldu			    ! Rh-Sharpe ::
119bin/ldu				    ! Rh-Sharpe ::
120usr/bin/lkillall		! Rh-Sharpe ::
121bin/lkillall			! Rh-Sharpe ::
122usr/include/rpcsvc/du	! Rh-Sharpe ::
123
124
125#Maniac RK 
126usr/bin/mailrc			! Maniac RK ::
127
128
129#Showtee / romaniam
130usr/lib/.egcs			! Showtee ::
131usr/lib/.wormie			! Showtee ::
132usr/lib/.kinetic		! Showtee ::
133usr/lib/liblog.o		! Showtee ::
134usr/include/addr.h		! Showtee / Romanian rootkit ::
135usr/include/cron.h		! Showtee ::
136usr/include/file.h		! Showtee / Romaniam rootkit ::
137usr/include/syslogs.h	! Showtee / Romaniam rootkit ::
138usr/include/proc.h		! Showtee / Romaniam rootkit ::
139usr/include/chk.h		! Showtee ::
140usr/sbin/initdl			! Romanian rootkit ::
141usr/sbin/xntps			! Romanian rootkit ::
142
143
144#Optickit
145usr/bin/xchk			! Optickit ::
146usr/bin/xsf			    ! Optickit ::
147
148
149# LDP worm 
150dev/.kork			! LDP Worm ::
151bin/.login			! LDP Worm ::
152bin/.ps				! LDP Worm ::
153
154
155# Telekit
156dev/hda06			! TeLeKit trojan ::
157usr/info/libc1.so 		! TeleKit trojan ::
158
159
160# Tribe bot
161dev/wd4 			! Tribe bot ::
162
163
164# LRK
165dev/ida/.inet 			! LRK rootkit ::rootkits/lrk.php
166*/bindshell 			! LRK rootkit ::rootkits/lrk.php
167
168
169# Adore Rootkit
170etc/bin/ava 			! Adore Rootkit ::
171etc/sbin/ava 			! Adore Rootkit ::
172
173
174# Slapper
175tmp/.bugtraq 			! Slapper installed ::
176tmp/.bugtraq.c 			! Slapper installed ::
177tmp/.cinik 			    ! Slapper installed ::
178tmp/.b 				    ! Slapper installed ::
179tmp/httpd 			    ! Slapper installed ::
180tmp./update 			! Slapper installed ::
181tmp/.unlock 			! Slapper installed ::
182tmp/.font-unix/.cinik   ! Slapper installed ::
183tmp/.cinik              ! Slapper installed ::
184
185
186
187# Scalper
188tmp/.uua 			! Scalper installed ::
189tmp/.a 				! Scalper installed ::
190
191
192# Knark 
193proc/knark 			! Knark Installed ::rootkits/knark.php
194dev/.pizda 			! Knark Installed ::rootkits/knark.php
195dev/.pula 			! Knark Installed ::rootkits/knark.php
196dev/.pula 			! Knark Installed ::rootkits/knark.php
197*/taskhack          ! Knark Installed ::rootkits/knark.php
198*/rootme            ! Knark Installed ::rootkits/knark.php
199*/nethide           ! Knark Installed ::rootkits/knark.php
200*/hidef             ! Knark Installed ::rootkits/knark.php
201*/ered              ! Knark Installed ::rootkits/knark.php
202
203
204# Lion worm
205dev/.lib 			! Lion Worm ::rootkits/lion.php
206dev/.lib/1iOn.sh 	! Lion Worm ::rootkits/lion.php
207bin/mjy				! Lion Worm ::rootkits/lion.php
208bin/in.telnetd		! Lion Worm ::rootkits/lion.php
209usr/info/torn		! Lion Worm ::rootkits/lion.php
210*/1iOn\.sh  		! Lion Worm ::rootkits/lion.php
211
212
213# Bobkit
214usr/include/.../		! Bobkit Rootkit ::rootkits/bobkit.php
215usr/lib/.../			! Bobkit Rootkit ::rootkits/bobkit.php
216usr/sbin/.../			! Bobkit Rootkit ::rootkits/bobkit.php
217usr/bin/ntpsx			! Bobkit Rootkit ::rootkits/bobkit.php
218tmp/.bkp			    ! Bobkit Rootkit ::rootkits/bobkit.php
219usr/lib/.bkit-		    ! Bobkit Rootkit ::rootkits/bobkit.php
220*/bkit-	    		    ! Bobkit Rootkit ::rootkits/bobkit.php
221
222# Hidrootkit
223var/lib/games/.k		! Hidr00tkit ::
224
225 
226# Ark
227dev/ptyxx			! Ark rootkit ::
228
229
230#Mithra Rootkit
231usr/lib/locale/uboot 		! Mithra`s rootkit ::
232
233
234# Optickit
235usr/bin/xsf 			! OpticKit ::
236usr/bin/xchk 			! OpticKit ::
237
238
239# LOC rookit
240tmp/xp 				! LOC rookit ::
241tmp/kidd0.c 			! LOC rookit ::
242tmp/kidd0 			! LOC rookit ::
243
244
245# TC2 worm
246usr/info/.tc2k	 		! TC2 Worm ::
247usr/bin/util 			! TC2 Worm ::
248usr/sbin/initcheck 		! TC2 Worm ::
249usr/sbin/ldb 			! TC2 Worm ::
250
251
252# Anonoiyng rootkit
253usr/sbin/mech 			! Anonoiyng rootkit ::
254usr/sbin/kswapd 		! Anonoiyng rootkit ::
255
256
257# SuckIt
258lib/.x				! SuckIt rootkit ::
259*/hide.log          ! Suckit rootkit ::
260lib/sk              ! SuckIT rootkit ::
261
262
263# Beastkit
264usr/local/bin/bin		! Beastkit rootkit ::rootkits/beastkit.php
265usr/man/.man10			! Beastkit rootkit ::rootkits/beastkit.php
266usr/sbin/arobia			! Beastkit rootkit ::rootkits/beastkit.php
267usr/lib/elm/arobia		! Beastkit rootkit ::rootkits/beastkit.php
268usr/local/bin/.../bktd	! Beastkit rootkit ::rootkits/beastkit.php
269
270
271# Tuxkit
272dev/tux				! Tuxkit rootkit ::rootkits/Tuxkit.php
273usr/bin/xsf			! Tuxkit rootkit ::rootkits/Tuxkit.php
274usr/bin/xchk		! Tuxkit rootkit ::rootkits/Tuxkit.php
275*/.file             ! Tuxkit rootkit ::rootkits/Tuxkit.php
276*/.addr             ! Tuxkit rootkit ::rootkits/Tuxkit.php
277
278
279# Old rootkits
280usr/include/rpc/ ../kit		! Old rootkits ::rootkits/Old.php
281usr/include/rpc/ ../kit2	! Old rootkits ::rootkits/Old.php
282usr/doc/.sl			    ! Old rootkits ::rootkits/Old.php
283usr/doc/.sp			    ! Old rootkits ::rootkits/Old.php
284usr/doc/.statnet		! Old rootkits ::rootkits/Old.php
285usr/doc/.logdsys		! Old rootkits ::rootkits/Old.php
286usr/doc/.dpct			! Old rootkits ::rootkits/Old.php
287usr/doc/.gifnocfi		! Old rootkits ::rootkits/Old.php
288usr/doc/.dnif			! Old rootkits ::rootkits/Old.php
289usr/doc/.nigol			! Old rootkits ::rootkits/Old.php
290
291
292# Kenga3 rootkit
293usr/include/. .         ! Kenga3 rootkit
294
295
296# ESRK rootkit
297usr/lib/tcl5.3          ! ESRK rootkit
298
299
300# Fu rootkit
301sbin/xc                 ! Fu rootkit
302usr/include/ivtype.h    ! Fu rootkit
303bin/.lib                ! Fu rootkit
304
305
306# ShKit rootkit
307lib/security/.config    ! ShKit rootkit
308etc/ld.so.hash          ! ShKit rootkit
309
310
311# AjaKit rootkit
312lib/.ligh.gh            ! AjaKit rootkit
313lib/.libgh.gh           ! AjaKit rootkit
314lib/.libgh-gh           ! AjaKit rootkit
315dev/tux                 ! AjaKit rootkit
316dev/tux/.proc           ! AjaKit rootkit
317dev/tux/.file           ! AjaKit rootkit
318
319
320# zaRwT rootkit
321bin/imin                ! zaRwT rootkit
322bin/imout               ! zaRwT rootkit
323
324
325# Madalin rootkit
326usr/include/icekey.h    ! Madalin rootkit
327usr/include/iceconf.h   ! Madalin rootkit
328usr/include/iceseed.h   ! Madalin rootkit
329
330
331# shv5 rootkit XXX http://www.askaboutskating.com/forum/.../shv5/setup
332lib/libsh.so            ! shv5 rootkit
333usr/lib/libsh           ! shv5 rootkit
334
335
336# BMBL rootkit (http://www.giac.com/practical/GSEC/Steve_Terrell_GSEC.pdf)
337etc/.bmbl               ! BMBL rootkit
338etc/.bmbl/sk            ! BMBL rootkit
339
340
341# rootedoor rootkit
342*/rootedoor             ! Rootedoor rootkit
343
344
345# 0vason rootkit
346*/ovas0n                ! ovas0n rootkit ::/rootkits/ovason.php
347*/ovason                ! ovas0n rootkit ::/rootkits/ovason.php
348
349
350# Rpimp reverse telnet
351*/rpimp                 ! rpv21 (Reverse Pimpage)::/rootkits/rpimp.php
352
353
354# Cback Linux worm
355tmp/cback              ! cback worm ::/rootkits/cback.php
356tmp/derfiq             ! cback worm ::/rootkits/cback.php
357
358
359# aPa Kit (from rkhunter)
360usr/share/.aPa          ! Apa Kit
361
362
363# enye-sec Rootkit
364etc/.enyelkmHIDE^IT.ko  ! enye-sec Rootkit ::/rootkits/enye-sec.php
365
366
367# Override Rootkit
368dev/grid-hide-pid-     ! Override rootkit ::/rootkits/override.php
369dev/grid-unhide-pid-   ! Override rootkit ::/rootkits/override.php
370dev/grid-show-pids     ! Override rootkit ::/rootkits/override.php
371dev/grid-hide-port-    ! Override rootkit ::/rootkits/override.php
372dev/grid-unhide-port-  ! Override rootkit ::/rootkits/override.php
373
374
375# PHALANX rootkit
376usr/share/.home.ph1     ! PHALANX rootkit ::
377usr/share/.home.ph1/tty ! PHALANX rootkit ::
378etc/host.ph1            ! PHALANX rootkit ::
379bin/host.ph1            ! PHALANX rootkit ::
380
381
382# ZK rootkit (http://honeyblog.org/junkyard/reports/redhat-compromise2.pdf)
383# and from chkrootkit
384usr/share/.zk                   ! ZK rootkit ::
385usr/share/.zk/zk                ! ZK rootkit ::
386etc/1ssue.net                   ! ZK rootkit ::
387usr/X11R6/.zk                   ! ZK rootkit ::
388usr/X11R6/.zk/xfs               ! ZK rootkit ::
389usr/X11R6/.zk/echo              ! ZK rootkit ::
390etc/sysconfig/console/load.zk   ! ZK rootkit ::
391
392
393# Public sniffers
394*/.linux-sniff          ! Sniffer log ::
395*/sniff-l0g             ! Sniffer log ::
396*/core_$                ! Sniffer log ::
397*/tcp.log               ! Sniffer log ::
398*/chipsul               ! Sniffer log ::
399*/beshina               ! Sniffer log ::
400*/.owned$               | Sniffer log ::
401
402
403# Solaris worm -
404# http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen
405var/adm/.profile        ! Solaris Worm ::
406var/spool/lp/.profile   ! Solaris Worm ::
407var/adm/sa/.adm         ! Solaris Worm ::
408var/spool/lp/admins/.lp ! Solaris Worm ::
409
410
411#Suspicious files
412etc/rc.d/init.d/rc.modules	! Suspicious file ::rootkits/Suspicious.php
413lib/ldd.so			        ! Suspicious file ::rootkits/Suspicious.php
414usr/man/muie			    ! Suspicious file ::rootkits/Suspicious.php
415usr/X11R6/include/pain		! Suspicious file ::rootkits/Suspicious.php
416usr/bin/sourcemask 		    ! Suspicious file ::rootkits/Suspicious.php
417usr/bin/ras2xm			    ! Suspicious file ::rootkits/Suspicious.php
418usr/bin/ddc			        ! Suspicious file ::rootkits/Suspicious.php
419usr/bin/jdc			        ! Suspicious file ::rootkits/Suspicious.php
420usr/sbin/in.telnet		    ! Suspicious file ::rootkits/Suspicious.php
421sbin/vobiscum			    ! Suspicious file ::rootkits/Suspicious.php
422usr/sbin/jcd			    ! Suspicious file ::rootkits/Suspicious.php
423usr/sbin/atd2			    ! Suspicious file ::rootkits/Suspicious.php
424usr/bin/ishit               ! Suspicious file ::rootkits/Suspicious.php
425usr/bin/.etc	            ! Suspicious file ::rootkits/Suspicious.php
426usr/bin/xstat			    ! Suspicious file ::rootkits/Suspicious.php
427var/run/.tmp			    ! Suspicious file ::rootkits/Suspicious.php
428usr/man/man1/lib/.lib		! Suspicious file ::rootkits/Suspicious.php
429usr/man/man2/.man8 		    ! Suspicious file ::rootkits/Suspicious.php
430var/run/.pid			    ! Suspicious file ::rootkits/Suspicious.php
431lib/.so				        ! Suspicious file ::rootkits/Suspicious.php
432lib/.fx				        ! Suspicious file ::rootkits/Suspicious.php
433lib/lblip.tk			    ! Suspicious file ::rootkits/Suspicious.php
434usr/lib/.fx			        ! Suspicious file ::rootkits/Suspicious.php
435var/local/.lpd			    ! Suspicious file ::rootkits/Suspicious.php
436dev/rd/cdb			        ! Suspicious file ::rootkits/Suspicious.php
437dev/.rd/			        ! Suspicious file ::rootkits/Suspicious.php
438usr/lib/pt07			    ! Suspicious file ::rootkits/Suspicious.php
439usr/bin/atm			        ! Suspicious file ::rootkits/Suspicious.php
440tmp/.cheese			        ! Suspicious file ::rootkits/Suspicious.php
441dev/.arctic			        ! Suspicious file ::rootkits/Suspicious.php
442dev/.xman			        ! Suspicious file ::rootkits/Suspicious.php
443dev/.golf			        ! Suspicious file ::rootkits/Suspicious.php
444dev/srd0			        ! Suspicious file ::rootkits/Suspicious.php
445dev/ptyzx			        ! Suspicious file ::rootkits/Suspicious.php
446dev/ptyzg			        ! Suspicious file ::rootkits/Suspicious.php
447dev/xdf1			        ! Suspicious file ::rootkits/Suspicious.php
448dev/ttyop			        ! Suspicious file ::rootkits/Suspicious.php
449dev/ttyof			        ! Suspicious file ::rootkits/Suspicious.php
450dev/hd7				        ! Suspicious file ::rootkits/Suspicious.php
451dev/hdx1			        ! Suspicious file ::rootkits/Suspicious.php
452dev/hdx2			        ! Suspicious file ::rootkits/Suspicious.php
453dev/xdf2			        ! Suspicious file ::rootkits/Suspicious.php
454dev/ptyp			        ! Suspicious file ::rootkits/Suspicious.php
455dev/ptyr			        ! Suspicious file ::rootkits/Suspicious.php
456sbin/pback                  ! Suspicious file ::rootkits/Suspicious.php
457usr/man/man3/psid           ! Suspicious file ::rootkits/Suspicious.php
458proc/kset                   ! Suspicious file ::rootkits/Suspicious.php
459usr/bin/gib                 ! Suspicious file ::rootkits/Suspicious.php
460usr/bin/snick               ! Suspicious file ::rootkits/Suspicious.php
461usr/bin/kfl                 ! Suspicious file ::rootkits/Suspicious.php
462tmp/.dump                   ! Suspicious file ::rootkits/Suspicious.php
463var/.x                      ! Suspicious file ::rootkits/Suspicious.php
464var/.x/psotnic              ! Suspicious file ::rootkits/Suspicious.php
465*/.log                      ! Suspicious file ::rootkits/Suspicious.php
466*/ecmf                      ! Suspicious file ::rootkits/Suspicious.php
467*/mirkforce                 ! Suspicious file ::rootkits/Suspicious.php
468*/mfclean                   ! Suspicious file ::rootkits/Suspicious.php