1 # rootkit_files.txt, (C) 2018 OSSEC Project
2 # Imported from the rootcheck project.
4 # Released under the same license as OSSEC.
5 # More details at the LICENSE file included with OSSEC or online
6 # at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
8 # Blank lines and lines starting with '#' are ignored.
10 # Each line must be in the following format:
11 # file_name ! Name ::Link to it
13 # Files that start with an '*' will be searched in the whole system.
16 tmp/mcliZokhb ! Bash door ::/rootkits/bashdoor.php
17 tmp/mclzaKmfa ! Bash door ::/rootkits/bashdoor.php
20 dev/.shit/red.tgz ! Adore Worm ::/rootkits/adorew.php
21 usr/lib/libt ! Adore Worm ::/rootkits/adorew.php
22 usr/bin/adore ! Adore Worm ::/rootkits/adorew.php
23 */klogd.o ! Adore Worm ::/rootkits/adorew.php
24 */red.tar ! Adore Worm ::/rootkits/adorew.php
27 usr/bin/soucemask ! TRK rootkit ::/rootkits/trk.php
28 usr/bin/sourcemask ! TRK rootkit ::/rootkits/trk.php
31 tmp/.../a ! 55808.A Worm ::
32 tmp/.../r ! 55808.A Worm ::
35 usr/lib/volc ! Volc Rootkit ::
36 usr/bin/volc ! Volc Rootkit ::
39 lib/security/.config ! Illogic Rootkit ::rootkits/illogic.php
40 usr/bin/sia ! Illogic Rootkit ::rootkits/illogic.php
41 etc/ld.so.hash ! Illogic Rootkit ::rootkits/illogic.php
42 */uconf.inv ! Illogic Rootkit ::rootkits/illogic.php
45 usr/src/.puta ! t0rn Rootkit ::rootkits/torn.php
46 usr/info/.t0rn ! t0rn Rootkit ::rootkits/torn.php
47 lib/ldlib.tk ! t0rn Rootkit ::rootkits/torn.php
48 etc/ttyhash ! t0rn Rootkit ::rootkits/torn.php
49 sbin/xlogin ! t0rn Rootkit ::rootkits/torn.php
50 */ldlib.tk ! t0rn Rootkit ::rootkits/torn.php
51 */.t0rn ! t0rn Rootkit ::rootkits/torn.php
52 */.puta ! t0rn Rootkit ::rootkits/torn.php
59 usr/src/linux/modules/autod.o ! RK17 ::
60 usr/src/linux/modules/soundx.o ! RK17 ::
63 usr/lib/ldlibps.so ! Ramen Worm ::rootkits/ramen.php
64 usr/lib/ldlibns.so ! Ramen Worm ::rootkits/ramen.php
65 usr/lib/ldliblogin.so ! Ramen Worm ::rootkits/ramen.php
66 usr/src/.poop ! Ramen Worm ::rootkits/ramen.php
67 tmp/ramen.tgz ! Ramen Worm ::rootkits/ramen.php
68 etc/xinetd.d/asp ! Ramen Worm ::rootkits/ramen.php
71 dev/cuc ! Sadmind/IIS Worm ::
75 usr/lib/libpikapp.a ! Monkit found ::
78 usr/bin/kr4p ! RSHA ::
79 usr/bin/n3tstat ! RSHA ::
80 usr/bin/chsh2 ! RSHA ::
81 usr/bin/slice2 ! RSHA ::
82 etc/rc.d/rsha ! RSHA ::
87 usr/sbin/in.slogind ! ShitC ::
90 dev/chr ! Omega Worm ::
93 bin/.ps ! Rh-Sharpe ::
94 usr/bin/cleaner ! Rh-Sharpe ::
95 usr/bin/slice ! Rh-Sharpe ::
96 usr/bin/vadim ! Rh-Sharpe ::
97 usr/bin/.ps ! Rh-Sharpe ::
98 bin/.lpstree ! Rh-Sharpe ::
99 usr/bin/.lpstree ! Rh-Sharpe ::
100 usr/bin/lnetstat ! Rh-Sharpe ::
101 bin/lnetstat ! Rh-Sharpe ::
102 usr/bin/ldu ! Rh-Sharpe ::
103 bin/ldu ! Rh-Sharpe ::
104 usr/bin/lkillall ! Rh-Sharpe ::
105 bin/lkillall ! Rh-Sharpe ::
106 usr/include/rpcsvc/du ! Rh-Sharpe ::
109 usr/bin/mailrc ! Maniac RK ::
112 usr/lib/.egcs ! Showtee ::
113 usr/lib/.wormie ! Showtee ::
114 usr/lib/.kinetic ! Showtee ::
115 usr/lib/liblog.o ! Showtee ::
116 usr/include/addr.h ! Showtee / Romanian rootkit ::
117 usr/include/cron.h ! Showtee ::
118 usr/include/file.h ! Showtee / Romanian rootkit ::
119 usr/include/syslogs.h ! Showtee / Romanian rootkit ::
120 usr/include/proc.h ! Showtee / Romanian rootkit ::
121 usr/include/chk.h ! Showtee ::
122 usr/sbin/initdl ! Romanian rootkit ::
123 usr/sbin/xntps ! Romanian rootkit ::
126 usr/bin/xchk ! Optickit ::
127 usr/bin/xsf ! Optickit ::
130 dev/.kork ! LDP Worm ::
131 bin/.login ! LDP Worm ::
132 bin/.ps ! LDP Worm ::
135 dev/hda06 ! TeLeKit trojan ::
136 usr/info/libc1.so ! TeleKit trojan ::
139 dev/wd4 ! Tribe bot ::
142 dev/ida/.inet ! LRK rootkit ::rootkits/lrk.php
143 */bindshell ! LRK rootkit ::rootkits/lrk.php
146 etc/bin/ava ! Adore Rootkit ::
147 etc/sbin/ava ! Adore Rootkit ::
150 tmp/.bugtraq ! Slapper installed ::
151 tmp/.bugtraq.c ! Slapper installed ::
152 tmp/.cinik ! Slapper installed ::
153 tmp/.b ! Slapper installed ::
154 tmp/httpd ! Slapper installed ::
155 tmp./update ! Slapper installed ::
156 tmp/.unlock ! Slapper installed ::
157 tmp/.font-unix/.cinik ! Slapper installed ::
158 tmp/.cinik ! Slapper installed ::
161 tmp/.uua ! Scalper installed ::
162 tmp/.a ! Scalper installed ::
165 proc/knark ! Knark Installed ::rootkits/knark.php
166 dev/.pizda ! Knark Installed ::rootkits/knark.php
167 dev/.pula ! Knark Installed ::rootkits/knark.php
168 dev/.pula ! Knark Installed ::rootkits/knark.php
169 */taskhack ! Knark Installed ::rootkits/knark.php
170 */rootme ! Knark Installed ::rootkits/knark.php
171 */nethide ! Knark Installed ::rootkits/knark.php
172 */hidef ! Knark Installed ::rootkits/knark.php
173 */ered ! Knark Installed ::rootkits/knark.php
176 dev/.lib ! Lion Worm ::rootkits/lion.php
177 dev/.lib/1iOn.sh ! Lion Worm ::rootkits/lion.php
178 bin/mjy ! Lion Worm ::rootkits/lion.php
179 bin/in.telnetd ! Lion Worm ::rootkits/lion.php
180 usr/info/torn ! Lion Worm ::rootkits/lion.php
181 */1iOn\.sh ! Lion Worm ::rootkits/lion.php
184 usr/include/.../ ! Bobkit Rootkit ::rootkits/bobkit.php
185 usr/lib/.../ ! Bobkit Rootkit ::rootkits/bobkit.php
186 usr/sbin/.../ ! Bobkit Rootkit ::rootkits/bobkit.php
187 usr/bin/ntpsx ! Bobkit Rootkit ::rootkits/bobkit.php
188 tmp/.bkp ! Bobkit Rootkit ::rootkits/bobkit.php
189 usr/lib/.bkit- ! Bobkit Rootkit ::rootkits/bobkit.php
190 */bkit- ! Bobkit Rootkit ::rootkits/bobkit.php
193 var/lib/games/.k ! Hidr00tkit ::
196 dev/ptyxx ! Ark rootkit ::
199 usr/lib/locale/uboot ! Mithra`s rootkit ::
202 usr/bin/xsf ! OpticKit ::
203 usr/bin/xchk ! OpticKit ::
206 tmp/xp ! LOC rookit ::
207 tmp/kidd0.c ! LOC rookit ::
208 tmp/kidd0 ! LOC rookit ::
211 usr/info/.tc2k ! TC2 Worm ::
212 usr/bin/util ! TC2 Worm ::
213 usr/sbin/initcheck ! TC2 Worm ::
214 usr/sbin/ldb ! TC2 Worm ::
217 usr/sbin/mech ! Anonoiyng rootkit ::
218 usr/sbin/kswapd ! Anonoiyng rootkit ::
221 lib/.x ! SuckIt rootkit ::
222 */hide.log ! Suckit rootkit ::
223 lib/sk ! SuckIT rootkit ::
226 usr/local/bin/bin ! Beastkit rootkit ::rootkits/beastkit.php
227 usr/man/.man10 ! Beastkit rootkit ::rootkits/beastkit.php
228 usr/sbin/arobia ! Beastkit rootkit ::rootkits/beastkit.php
229 usr/lib/elm/arobia ! Beastkit rootkit ::rootkits/beastkit.php
230 usr/local/bin/.../bktd ! Beastkit rootkit ::rootkits/beastkit.php
233 dev/tux ! Tuxkit rootkit ::rootkits/Tuxkit.php
234 usr/bin/xsf ! Tuxkit rootkit ::rootkits/Tuxkit.php
235 usr/bin/xchk ! Tuxkit rootkit ::rootkits/Tuxkit.php
236 */.file ! Tuxkit rootkit ::rootkits/Tuxkit.php
237 */.addr ! Tuxkit rootkit ::rootkits/Tuxkit.php
240 usr/include/rpc/ ../kit ! Old rootkits ::rootkits/Old.php
241 usr/include/rpc/ ../kit2 ! Old rootkits ::rootkits/Old.php
242 usr/doc/.sl ! Old rootkits ::rootkits/Old.php
243 usr/doc/.sp ! Old rootkits ::rootkits/Old.php
244 usr/doc/.statnet ! Old rootkits ::rootkits/Old.php
245 usr/doc/.logdsys ! Old rootkits ::rootkits/Old.php
246 usr/doc/.dpct ! Old rootkits ::rootkits/Old.php
247 usr/doc/.gifnocfi ! Old rootkits ::rootkits/Old.php
248 usr/doc/.dnif ! Old rootkits ::rootkits/Old.php
249 usr/doc/.nigol ! Old rootkits ::rootkits/Old.php
252 usr/include/. . ! Kenga3 rootkit
255 usr/lib/tcl5.3 ! ESRK rootkit
259 usr/include/ivtype.h ! Fu rootkit
260 bin/.lib ! Fu rootkit
263 lib/security/.config ! ShKit rootkit
264 etc/ld.so.hash ! ShKit rootkit
267 lib/.ligh.gh ! AjaKit rootkit
268 lib/.libgh.gh ! AjaKit rootkit
269 lib/.libgh-gh ! AjaKit rootkit
270 dev/tux ! AjaKit rootkit
271 dev/tux/.proc ! AjaKit rootkit
272 dev/tux/.file ! AjaKit rootkit
275 bin/imin ! zaRwT rootkit
276 bin/imout ! zaRwT rootkit
279 usr/include/icekey.h ! Madalin rootkit
280 usr/include/iceconf.h ! Madalin rootkit
281 usr/include/iceseed.h ! Madalin rootkit
283 # shv5 rootkit XXX http://www.askaboutskating.com/forum/.../shv5/setup
284 lib/libsh.so ! shv5 rootkit
285 usr/lib/libsh ! shv5 rootkit
287 # BMBL rootkit (http://www.giac.com/practical/GSEC/Steve_Terrell_GSEC.pdf)
288 etc/.bmbl ! BMBL rootkit
289 etc/.bmbl/sk ! BMBL rootkit
292 */rootedoor ! Rootedoor rootkit
295 */ovas0n ! ovas0n rootkit ::/rootkits/ovason.php
296 */ovason ! ovas0n rootkit ::/rootkits/ovason.php
298 # Rpimp reverse telnet
299 */rpimp ! rpv21 (Reverse Pimpage)::/rootkits/rpimp.php
302 tmp/cback ! cback worm ::/rootkits/cback.php
303 tmp/derfiq ! cback worm ::/rootkits/cback.php
305 # aPa Kit (from rkhunter)
306 usr/share/.aPa ! Apa Kit
309 etc/.enyelkmHIDE^IT.ko ! enye-sec Rootkit ::/rootkits/enye-sec.php
312 dev/grid-hide-pid- ! Override rootkit ::/rootkits/override.php
313 dev/grid-unhide-pid- ! Override rootkit ::/rootkits/override.php
314 dev/grid-show-pids ! Override rootkit ::/rootkits/override.php
315 dev/grid-hide-port- ! Override rootkit ::/rootkits/override.php
316 dev/grid-unhide-port- ! Override rootkit ::/rootkits/override.php
319 usr/share/.home* ! PHALANX rootkit ::
320 usr/share/.home*/tty ! PHALANX rootkit ::
321 etc/host.ph1 ! PHALANX rootkit ::
322 bin/host.ph1 ! PHALANX rootkit ::
324 # ZK rootkit (http://honeyblog.org/junkyard/reports/redhat-compromise2.pdf)
325 # and from chkrootkit
326 usr/share/.zk ! ZK rootkit ::
327 usr/share/.zk/zk ! ZK rootkit ::
328 etc/1ssue.net ! ZK rootkit ::
329 usr/X11R6/.zk ! ZK rootkit ::
330 usr/X11R6/.zk/xfs ! ZK rootkit ::
331 usr/X11R6/.zk/echo ! ZK rootkit ::
332 etc/sysconfig/console/load.zk ! ZK rootkit ::
335 */.linux-sniff ! Sniffer log ::
336 */sniff-l0g ! Sniffer log ::
337 */core_$ ! Sniffer log ::
338 */tcp.log ! Sniffer log ::
339 */chipsul ! Sniffer log ::
340 */beshina ! Sniffer log ::
341 */.owned$ | Sniffer log ::
344 # http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen
345 var/adm/.profile ! Solaris Worm ::
346 var/spool/lp/.profile ! Solaris Worm ::
347 var/adm/sa/.adm ! Solaris Worm ::
348 var/spool/lp/admins/.lp ! Solaris Worm ::
351 etc/rc.d/init.d/rc.modules ! Suspicious file ::rootkits/Suspicious.php
352 lib/ldd.so ! Suspicious file ::rootkits/Suspicious.php
353 usr/man/muie ! Suspicious file ::rootkits/Suspicious.php
354 usr/X11R6/include/pain ! Suspicious file ::rootkits/Suspicious.php
355 usr/bin/sourcemask ! Suspicious file ::rootkits/Suspicious.php
356 usr/bin/ras2xm ! Suspicious file ::rootkits/Suspicious.php
357 usr/bin/ddc ! Suspicious file ::rootkits/Suspicious.php
358 usr/bin/jdc ! Suspicious file ::rootkits/Suspicious.php
359 usr/sbin/in.telnet ! Suspicious file ::rootkits/Suspicious.php
360 sbin/vobiscum ! Suspicious file ::rootkits/Suspicious.php
361 usr/sbin/jcd ! Suspicious file ::rootkits/Suspicious.php
362 usr/sbin/atd2 ! Suspicious file ::rootkits/Suspicious.php
363 usr/bin/ishit ! Suspicious file ::rootkits/Suspicious.php
364 usr/bin/.etc ! Suspicious file ::rootkits/Suspicious.php
365 usr/bin/xstat ! Suspicious file ::rootkits/Suspicious.php
366 var/run/.tmp ! Suspicious file ::rootkits/Suspicious.php
367 usr/man/man1/lib/.lib ! Suspicious file ::rootkits/Suspicious.php
368 usr/man/man2/.man8 ! Suspicious file ::rootkits/Suspicious.php
369 var/run/.pid ! Suspicious file ::rootkits/Suspicious.php
370 lib/.so ! Suspicious file ::rootkits/Suspicious.php
371 lib/.fx ! Suspicious file ::rootkits/Suspicious.php
372 lib/lblip.tk ! Suspicious file ::rootkits/Suspicious.php
373 usr/lib/.fx ! Suspicious file ::rootkits/Suspicious.php
374 var/local/.lpd ! Suspicious file ::rootkits/Suspicious.php
375 dev/rd/cdb ! Suspicious file ::rootkits/Suspicious.php
376 dev/.rd/ ! Suspicious file ::rootkits/Suspicious.php
377 usr/lib/pt07 ! Suspicious file ::rootkits/Suspicious.php
378 usr/bin/atm ! Suspicious file ::rootkits/Suspicious.php
379 tmp/.cheese ! Suspicious file ::rootkits/Suspicious.php
380 dev/.arctic ! Suspicious file ::rootkits/Suspicious.php
381 dev/.xman ! Suspicious file ::rootkits/Suspicious.php
382 dev/.golf ! Suspicious file ::rootkits/Suspicious.php
383 dev/srd0 ! Suspicious file ::rootkits/Suspicious.php
384 dev/ptyzx ! Suspicious file ::rootkits/Suspicious.php
385 dev/ptyzg ! Suspicious file ::rootkits/Suspicious.php
386 dev/xdf1 ! Suspicious file ::rootkits/Suspicious.php
387 dev/ttyop ! Suspicious file ::rootkits/Suspicious.php
388 dev/ttyof ! Suspicious file ::rootkits/Suspicious.php
389 dev/hd7 ! Suspicious file ::rootkits/Suspicious.php
390 dev/hdx1 ! Suspicious file ::rootkits/Suspicious.php
391 dev/hdx2 ! Suspicious file ::rootkits/Suspicious.php
392 dev/xdf2 ! Suspicious file ::rootkits/Suspicious.php
393 dev/ptyp ! Suspicious file ::rootkits/Suspicious.php
394 dev/ptyr ! Suspicious file ::rootkits/Suspicious.php
395 sbin/pback ! Suspicious file ::rootkits/Suspicious.php
396 usr/man/man3/psid ! Suspicious file ::rootkits/Suspicious.php
397 proc/kset ! Suspicious file ::rootkits/Suspicious.php
398 usr/bin/gib ! Suspicious file ::rootkits/Suspicious.php
399 usr/bin/snick ! Suspicious file ::rootkits/Suspicious.php
400 usr/bin/kfl ! Suspicious file ::rootkits/Suspicious.php
401 tmp/.dump ! Suspicious file ::rootkits/Suspicious.php
402 var/.x ! Suspicious file ::rootkits/Suspicious.php
403 var/.x/psotnic ! Suspicious file ::rootkits/Suspicious.php
404 */.log ! Suspicious file ::rootkits/Suspicious.php
405 */ecmf ! Suspicious file ::rootkits/Suspicious.php
406 */mirkforce ! Suspicious file ::rootkits/Suspicious.php
407 */mfclean ! Suspicious file ::rootkits/Suspicious.php