-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathrootkit_trojans.txt
107 lines (100 loc) · 5.34 KB
/
rootkit_trojans.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
# rootkit_trojans.txt, (C) 2018 OSSEC Project
# Imported from the rootcheck project.
# Some entries taken from the chkrootkit project.
#
# Released under the same license as OSSEC.
# More details at the LICENSE file included with OSSEC or online
# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
#
# Blank lines and lines starting with '#' are ignored.
#
# Each line must be in the following format:
# file_name !string_to_search!Description
# Common binaries and public trojan entries
ls !bash|^/bin/sh|dev/[^clu]|\.tmp/lsfile|duarawkz|/prof|/security|file\.h!
env !bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh!
echo !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
chown !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
chmod !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
chgrp !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
cat !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
bash !proc\.h|/dev/[0-9]|/dev/[hijkz]!
sh !proc\.h|/dev/[0-9]|/dev/[hijkz]!
uname !bash|^/bin/sh|file\.h|proc\.h|^/bin/.*sh!
date !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cln]|^/bin/.*sh!
du !w0rm|/prof|file\.h!
df !bash|^/bin/sh|file\.h|proc\.h|/dev/[^clurdv]|^/bin/.*sh!
login !elite|SucKIT|xlogin|vejeta|porcao|lets_log|sukasuk!
passwd !bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[b-s,uvxz]!
mingetty !bash|Dimensioni|pacchetto!
chfn !bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[a-s,uvxz]!
chsh !bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[a-s,uvxz]!
mail !file\.h|proc\.h|/dev/[^nu]!
su !/dev/[d-s,abuvxz]|/dev/[A-D]|/dev/[F-Z]|/dev/[0-9]|satori|vejeta|conf\.inv!
sudo !satori|vejeta|conf\.inv!
crond !/dev/[^nt]|bash!
gpm !bash|mingetty!
ifconfig !bash|^/bin/sh|/dev/tux|session.null|/dev/[^cludisopt]!
diff !bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh!
md5sum !bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh!
hdparm !bash|/dev/ida!
ldd !/dev/[^n]|proc\.h|libshow.so|libproc.a!
# Trojan entries for troubleshooting binaries
grep !bash|givemer!
egrep !bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh!
find !bash|/dev/[^tnlcs]|/prof|/home/virus|file\.h!
lsof !/prof|/dev/[^apcmnfk]|proc\.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp!
netstat !bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr\.h!
top !/dev/[^npi3st%]|proc\.h|/prof/!
ps !/dev/ttyo|\.1proc|proc\.h|bash|^/bin/sh!
tcpdump !bash|^/bin/sh|file\.h|proc\.h|/dev/[^bu]|^/bin/.*sh!
pidof !bash|^/bin/sh|file\.h|proc\.h|/dev/[^f]|^/bin/.*sh!
fuser !bash|^/bin/sh|file\.h|proc\.h|/dev/[a-dtz]|^/bin/.*sh!
w !uname -a|proc\.h|bash!
# Trojan entries for common daemons
sendmail !bash|fuck!
named !bash|blah|/dev/[0-9]|^/bin/sh!
inetd !bash|^/bin/sh|file\.h|proc\.h|/dev/[^un%]|^/bin/.*sh!
apachectl !bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh!
sshd !check_global_passwd|panasonic|satori|vejeta|\.ark|/hash\.zk|bash|/dev[a-s]|/dev[A-Z]/!
syslogd !bash|/usr/lib/pt07|/dev/[^cln]]|syslogs\.h|proc\.h!
xinetd !bash|file\.h|proc\.h!
in.telnetd !cterm100|vt350|VT100|ansi-term|bash|^/bin/sh|/dev[A-R]|/dev/[a-z]/!
in.fingerd !bash|^/bin/sh|cterm100|/dev/!
identd !bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh!
init !bash|/dev/h
tcpd !bash|proc\.h|p1r0c4|hack|/dev/[^n]!
rlogin !p1r0c4|r00t|bash|/dev/[^nt]!
# Kill trojan
killall !/dev/[^t%]|proc\.h|bash|tmp!
kill !/dev/[ab,d-k,m-z]|/dev/[F-Z]|/dev/[A-D]|/dev/[0-9]|proc\.h|bash|tmp!
# Rootkit entries
/etc/rc.d/rc.sysinit !enyelkmHIDE! enye-sec Rootkit
# ZK rootkit (http://honeyblog.org/junkyard/reports/redhat-compromise2.pdf)
/etc/sysconfig/console/load.zk !/bin/sh! ZK rootkit
/etc/sysconfig/console/load.zk !usr/bin/run! ZK rootkit
# Modified /etc/hosts entries
# Idea taken from:
# http://blog.tenablesecurity.com/2006/12/detecting_compr.html
# http://www.sophos.com/security/analyses/trojbagledll.html
# http://www.f-secure.com/v-descs/fantibag_b.shtml
/etc/hosts !^[^#]*avp.ch!Anti-virus site on the hosts file
/etc/hosts !^[^#]*avp.ru!Anti-virus site on the hosts file
/etc/hosts !^[^#]*awaps.net! Anti-virus site on the hosts file
/etc/hosts !^[^#]*ca.com! Anti-virus site on the hosts file
/etc/hosts !^[^#]*mcafee.com! Anti-virus site on the hosts file
/etc/hosts !^[^#]*microsoft.com! Anti-virus site on the hosts file
/etc/hosts !^[^#]*f-secure.com! Anti-virus site on the hosts file
/etc/hosts !^[^#]*sophos.com! Anti-virus site on the hosts file
/etc/hosts !^[^#]*symantec.com! Anti-virus site on the hosts file
/etc/hosts !^[^#]*my-etrust.com! Anti-virus site on the hosts file
/etc/hosts !^[^#]*nai.com! Anti-virus site on the hosts file
/etc/hosts !^[^#]*networkassociates.com! Anti-virus site on the hosts file
/etc/hosts !^[^#]*viruslist.ru! Anti-virus site on the hosts file
/etc/hosts !^[^#]*kaspersky! Anti-virus site on the hosts file
/etc/hosts !^[^#]*symantecliveupdate.com! Anti-virus site on the hosts file
/etc/hosts !^[^#]*grisoft.com! Anti-virus site on the hosts file
/etc/hosts !^[^#]*clamav.net! Anti-virus site on the hosts file
/etc/hosts !^[^#]*bitdefender.com! Anti-virus site on the hosts file
/etc/hosts !^[^#]*antivirus.com! Anti-virus site on the hosts file
/etc/hosts !^[^#]*sans.org! Security site on the hosts file