X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;ds=sidebyside;f=debian%2Fossec-hids%2Fvar%2Fossec%2Fetc%2Fshared%2Frootkit_trojans.txt;fp=debian%2Fossec-hids%2Fvar%2Fossec%2Fetc%2Fshared%2Frootkit_trojans.txt;h=669ef30502fee95cad083f657c029f36fb41afb3;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hp=0000000000000000000000000000000000000000;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b;p=ossec-hids.git diff --git a/debian/ossec-hids/var/ossec/etc/shared/rootkit_trojans.txt b/debian/ossec-hids/var/ossec/etc/shared/rootkit_trojans.txt new file mode 100644 index 0000000..669ef30 --- /dev/null +++ b/debian/ossec-hids/var/ossec/etc/shared/rootkit_trojans.txt @@ -0,0 +1,107 @@ +# rootkit_trojans.txt, (C) 2018 OSSEC Project +# Imported from the rootcheck project. +# Some entries taken from the chkrootkit project. +# +# Released under the same license as OSSEC. +# More details at the LICENSE file included with OSSEC or online +# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE +# +# Blank lines and lines starting with '#' are ignored. +# +# Each line must be in the following format: +# file_name !string_to_search!Description + +# Common binaries and public trojan entries +ls !bash|^/bin/sh|dev/[^clu]|\.tmp/lsfile|duarawkz|/prof|/security|file\.h! +env !bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh! +echo !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh! +chown !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh! +chmod !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh! +chgrp !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh! +cat !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh! +bash !proc\.h|/dev/[0-9]|/dev/[hijkz]! +sh !proc\.h|/dev/[0-9]|/dev/[hijkz]! +uname !bash|^/bin/sh|file\.h|proc\.h|^/bin/.*sh! +date !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cln]|^/bin/.*sh! +du !w0rm|/prof|file\.h! +df !bash|^/bin/sh|file\.h|proc\.h|/dev/[^clurdv]|^/bin/.*sh! +login !elite|SucKIT|xlogin|vejeta|porcao|lets_log|sukasuk! +passwd !bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[b-s,uvxz]! +mingetty !bash|Dimensioni|pacchetto! +chfn !bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[a-s,uvxz]! +chsh !bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[a-s,uvxz]! +mail !bash|file\.h|proc\.h|/dev/[^nu]! +su !/dev/[d-s,abuvxz]|/dev/[A-D]|/dev/[F-Z]|/dev/[0-9]|satori|vejeta|conf\.inv! +sudo !satori|vejeta|conf\.inv! +crond !/dev/[^nt]|bash! +gpm !bash|mingetty! +ifconfig !bash|^/bin/sh|/dev/tux|session.null|/dev/[^cludisopt]! +diff !bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh! +md5sum !bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh! +hdparm !bash|/dev/ida! +ldd !/dev/[^n]|proc\.h|libshow.so|libproc.a! + +# Trojan entries for troubleshooting binaries +grep !bash|givemer! +egrep !bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh! +find !bash|/dev/[^tnlcs]|/prof|/home/virus|file\.h! +lsof !/prof|/dev/[^apcmnfk]|proc\.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp! +netstat !bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr\.h! +top !/dev/[^npi3st%]|proc\.h|/prof/! +ps !/dev/ttyo|\.1proc|proc\.h|bash|^/bin/sh! +tcpdump !bash|^/bin/sh|file\.h|proc\.h|/dev/[^bu]|^/bin/.*sh! +pidof !bash|^/bin/sh|file\.h|proc\.h|/dev/[^f]|^/bin/.*sh! +fuser !bash|^/bin/sh|file\.h|proc\.h|/dev/[a-dtz]|^/bin/.*sh! +w !uname -a|proc\.h|bash! + +# Trojan entries for common daemons +sendmail !bash|fuck! +named !bash|blah|/dev/[0-9]|^/bin/sh! +inetd !bash|^/bin/sh|file\.h|proc\.h|/dev/[^un%]|^/bin/.*sh! +apachectl !bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh! +sshd !check_global_passwd|panasonic|satori|vejeta|\.ark|/hash\.zk|bash|/dev[a-s]|/dev[A-Z]/! +syslogd !bash|/usr/lib/pt07|/dev/[^cln]]|syslogs\.h|proc\.h! +xinetd !bash|file\.h|proc\.h! +in.telnetd !cterm100|vt350|VT100|ansi-term|bash|^/bin/sh|/dev[A-R]|/dev/[a-z]/! +in.fingerd !bash|^/bin/sh|cterm100|/dev/! +identd !bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh! +init !bash|/dev/h +tcpd !bash|proc\.h|p1r0c4|hack|/dev/[^n]! +rlogin !p1r0c4|r00t|bash|/dev/[^nt]! + +# Kill trojan +killall !/dev/[^t%]|proc\.h|bash|tmp! +kill !/dev/[ab,d-k,m-z]|/dev/[F-Z]|/dev/[A-D]|/dev/[0-9]|proc\.h|bash|tmp! + +# Rootkit entries +/etc/rc.d/rc.sysinit !enyelkmHIDE! enye-sec Rootkit + +# ZK rootkit (http://honeyblog.org/junkyard/reports/redhat-compromise2.pdf) +/etc/sysconfig/console/load.zk !/bin/sh! ZK rootkit +/etc/sysconfig/console/load.zk !usr/bin/run! ZK rootkit + +# Modified /etc/hosts entries +# Idea taken from: +# http://blog.tenablesecurity.com/2006/12/detecting_compr.html +# http://www.sophos.com/security/analyses/trojbagledll.html +# http://www.f-secure.com/v-descs/fantibag_b.shtml +/etc/hosts !^[^#]*avp.ch!Anti-virus site on the hosts file +/etc/hosts !^[^#]*avp.ru!Anti-virus site on the hosts file +/etc/hosts !^[^#]*awaps.net! Anti-virus site on the hosts file +/etc/hosts !^[^#]*ca.com! Anti-virus site on the hosts file +/etc/hosts !^[^#]*mcafee.com! Anti-virus site on the hosts file +/etc/hosts !^[^#]*microsoft.com! Anti-virus site on the hosts file +/etc/hosts !^[^#]*f-secure.com! Anti-virus site on the hosts file +/etc/hosts !^[^#]*sophos.com! Anti-virus site on the hosts file +/etc/hosts !^[^#]*symantec.com! Anti-virus site on the hosts file +/etc/hosts !^[^#]*my-etrust.com! Anti-virus site on the hosts file +/etc/hosts !^[^#]*nai.com! Anti-virus site on the hosts file +/etc/hosts !^[^#]*networkassociates.com! Anti-virus site on the hosts file +/etc/hosts !^[^#]*viruslist.ru! Anti-virus site on the hosts file +/etc/hosts !^[^#]*kaspersky! Anti-virus site on the hosts file +/etc/hosts !^[^#]*symantecliveupdate.com! Anti-virus site on the hosts file +/etc/hosts !^[^#]*grisoft.com! Anti-virus site on the hosts file +/etc/hosts !^[^#]*clamav.net! Anti-virus site on the hosts file +/etc/hosts !^[^#]*bitdefender.com! Anti-virus site on the hosts file +/etc/hosts !^[^#]*antivirus.com! Anti-virus site on the hosts file +/etc/hosts !^[^#]*sans.org! Security site on the hosts file