--- /dev/null
+# rootkit_files.txt, (C) 2018 OSSEC Project
+# Imported from the rootcheck project.
+#
+# Released under the same license as OSSEC.
+# More details at the LICENSE file included with OSSEC or online
+# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
+#
+# Blank lines and lines starting with '#' are ignored.
+#
+# Each line must be in the following format:
+# file_name ! Name ::Link to it
+#
+# Files that start with an '*' will be searched in the whole system.
+
+# Bash door
+tmp/mcliZokhb ! Bash door ::/rootkits/bashdoor.php
+tmp/mclzaKmfa ! Bash door ::/rootkits/bashdoor.php
+
+# adore Worm
+dev/.shit/red.tgz ! Adore Worm ::/rootkits/adorew.php
+usr/lib/libt ! Adore Worm ::/rootkits/adorew.php
+usr/bin/adore ! Adore Worm ::/rootkits/adorew.php
+*/klogd.o ! Adore Worm ::/rootkits/adorew.php
+*/red.tar ! Adore Worm ::/rootkits/adorew.php
+
+# T.R.K rootkit
+usr/bin/soucemask ! TRK rootkit ::/rootkits/trk.php
+usr/bin/sourcemask ! TRK rootkit ::/rootkits/trk.php
+
+# 55.808.A Worm
+tmp/.../a ! 55808.A Worm ::
+tmp/.../r ! 55808.A Worm ::
+
+# Volc Rootkit
+usr/lib/volc ! Volc Rootkit ::
+usr/bin/volc ! Volc Rootkit ::
+
+# Illogic
+lib/security/.config ! Illogic Rootkit ::rootkits/illogic.php
+usr/bin/sia ! Illogic Rootkit ::rootkits/illogic.php
+etc/ld.so.hash ! Illogic Rootkit ::rootkits/illogic.php
+*/uconf.inv ! Illogic Rootkit ::rootkits/illogic.php
+
+# T0rnkit
+usr/src/.puta ! t0rn Rootkit ::rootkits/torn.php
+usr/info/.t0rn ! t0rn Rootkit ::rootkits/torn.php
+lib/ldlib.tk ! t0rn Rootkit ::rootkits/torn.php
+etc/ttyhash ! t0rn Rootkit ::rootkits/torn.php
+sbin/xlogin ! t0rn Rootkit ::rootkits/torn.php
+*/ldlib.tk ! t0rn Rootkit ::rootkits/torn.php
+*/.t0rn ! t0rn Rootkit ::rootkits/torn.php
+*/.puta ! t0rn Rootkit ::rootkits/torn.php
+
+# RK17
+bin/rtty ! RK17 ::
+bin/squit ! RK17 ::
+sbin/pback ! RK17 ::
+proc/kset ! RK17 ::
+usr/src/linux/modules/autod.o ! RK17 ::
+usr/src/linux/modules/soundx.o ! RK17 ::
+
+# Ramen Worm
+usr/lib/ldlibps.so ! Ramen Worm ::rootkits/ramen.php
+usr/lib/ldlibns.so ! Ramen Worm ::rootkits/ramen.php
+usr/lib/ldliblogin.so ! Ramen Worm ::rootkits/ramen.php
+usr/src/.poop ! Ramen Worm ::rootkits/ramen.php
+tmp/ramen.tgz ! Ramen Worm ::rootkits/ramen.php
+etc/xinetd.d/asp ! Ramen Worm ::rootkits/ramen.php
+
+# Sadmind/IIS Worm
+dev/cuc ! Sadmind/IIS Worm ::
+
+# Monkit
+lib/defs ! Monkit ::
+usr/lib/libpikapp.a ! Monkit found ::
+
+# RSHA
+usr/bin/kr4p ! RSHA ::
+usr/bin/n3tstat ! RSHA ::
+usr/bin/chsh2 ! RSHA ::
+usr/bin/slice2 ! RSHA ::
+etc/rc.d/rsha ! RSHA ::
+
+# ShitC worm
+bin/home ! ShitC ::
+sbin/home ! ShitC ::
+usr/sbin/in.slogind ! ShitC ::
+
+# Omega Worm
+dev/chr ! Omega Worm ::
+
+# rh-sharpe
+bin/.ps ! Rh-Sharpe ::
+usr/bin/cleaner ! Rh-Sharpe ::
+usr/bin/slice ! Rh-Sharpe ::
+usr/bin/vadim ! Rh-Sharpe ::
+usr/bin/.ps ! Rh-Sharpe ::
+bin/.lpstree ! Rh-Sharpe ::
+usr/bin/.lpstree ! Rh-Sharpe ::
+usr/bin/lnetstat ! Rh-Sharpe ::
+bin/lnetstat ! Rh-Sharpe ::
+usr/bin/ldu ! Rh-Sharpe ::
+bin/ldu ! Rh-Sharpe ::
+usr/bin/lkillall ! Rh-Sharpe ::
+bin/lkillall ! Rh-Sharpe ::
+usr/include/rpcsvc/du ! Rh-Sharpe ::
+
+# Maniac RK
+usr/bin/mailrc ! Maniac RK ::
+
+# Showtee / Romanian
+usr/lib/.egcs ! Showtee ::
+usr/lib/.wormie ! Showtee ::
+usr/lib/.kinetic ! Showtee ::
+usr/lib/liblog.o ! Showtee ::
+usr/include/addr.h ! Showtee / Romanian rootkit ::
+usr/include/cron.h ! Showtee ::
+usr/include/file.h ! Showtee / Romanian rootkit ::
+usr/include/syslogs.h ! Showtee / Romanian rootkit ::
+usr/include/proc.h ! Showtee / Romanian rootkit ::
+usr/include/chk.h ! Showtee ::
+usr/sbin/initdl ! Romanian rootkit ::
+usr/sbin/xntps ! Romanian rootkit ::
+
+# Optickit
+usr/bin/xchk ! Optickit ::
+usr/bin/xsf ! Optickit ::
+
+# LDP worm
+dev/.kork ! LDP Worm ::
+bin/.login ! LDP Worm ::
+bin/.ps ! LDP Worm ::
+
+# Telekit
+dev/hda06 ! TeLeKit trojan ::
+usr/info/libc1.so ! TeleKit trojan ::
+
+# Tribe bot
+dev/wd4 ! Tribe bot ::
+
+# LRK
+dev/ida/.inet ! LRK rootkit ::rootkits/lrk.php
+*/bindshell ! LRK rootkit ::rootkits/lrk.php
+
+# Adore Rootkit
+etc/bin/ava ! Adore Rootkit ::
+etc/sbin/ava ! Adore Rootkit ::
+
+# Slapper
+tmp/.bugtraq ! Slapper installed ::
+tmp/.bugtraq.c ! Slapper installed ::
+tmp/.cinik ! Slapper installed ::
+tmp/.b ! Slapper installed ::
+tmp/httpd ! Slapper installed ::
+tmp./update ! Slapper installed ::
+tmp/.unlock ! Slapper installed ::
+tmp/.font-unix/.cinik ! Slapper installed ::
+tmp/.cinik ! Slapper installed ::
+
+# Scalper
+tmp/.uua ! Scalper installed ::
+tmp/.a ! Scalper installed ::
+
+# Knark
+proc/knark ! Knark Installed ::rootkits/knark.php
+dev/.pizda ! Knark Installed ::rootkits/knark.php
+dev/.pula ! Knark Installed ::rootkits/knark.php
+dev/.pula ! Knark Installed ::rootkits/knark.php
+*/taskhack ! Knark Installed ::rootkits/knark.php
+*/rootme ! Knark Installed ::rootkits/knark.php
+*/nethide ! Knark Installed ::rootkits/knark.php
+*/hidef ! Knark Installed ::rootkits/knark.php
+*/ered ! Knark Installed ::rootkits/knark.php
+
+# Lion worm
+dev/.lib ! Lion Worm ::rootkits/lion.php
+dev/.lib/1iOn.sh ! Lion Worm ::rootkits/lion.php
+bin/mjy ! Lion Worm ::rootkits/lion.php
+bin/in.telnetd ! Lion Worm ::rootkits/lion.php
+usr/info/torn ! Lion Worm ::rootkits/lion.php
+*/1iOn\.sh ! Lion Worm ::rootkits/lion.php
+
+# Bobkit
+usr/include/.../ ! Bobkit Rootkit ::rootkits/bobkit.php
+usr/lib/.../ ! Bobkit Rootkit ::rootkits/bobkit.php
+usr/sbin/.../ ! Bobkit Rootkit ::rootkits/bobkit.php
+usr/bin/ntpsx ! Bobkit Rootkit ::rootkits/bobkit.php
+tmp/.bkp ! Bobkit Rootkit ::rootkits/bobkit.php
+usr/lib/.bkit- ! Bobkit Rootkit ::rootkits/bobkit.php
+*/bkit- ! Bobkit Rootkit ::rootkits/bobkit.php
+
+# Hidrootkit
+var/lib/games/.k ! Hidr00tkit ::
+
+# Ark
+dev/ptyxx ! Ark rootkit ::
+
+# Mithra Rootkit
+usr/lib/locale/uboot ! Mithra`s rootkit ::
+
+# Optickit
+usr/bin/xsf ! OpticKit ::
+usr/bin/xchk ! OpticKit ::
+
+# LOC rookit
+tmp/xp ! LOC rookit ::
+tmp/kidd0.c ! LOC rookit ::
+tmp/kidd0 ! LOC rookit ::
+
+# TC2 worm
+usr/info/.tc2k ! TC2 Worm ::
+usr/bin/util ! TC2 Worm ::
+usr/sbin/initcheck ! TC2 Worm ::
+usr/sbin/ldb ! TC2 Worm ::
+
+# Anonoiyng rootkit
+usr/sbin/mech ! Anonoiyng rootkit ::
+usr/sbin/kswapd ! Anonoiyng rootkit ::
+
+# SuckIt
+lib/.x ! SuckIt rootkit ::
+*/hide.log ! Suckit rootkit ::
+lib/sk ! SuckIT rootkit ::
+
+# Beastkit
+usr/local/bin/bin ! Beastkit rootkit ::rootkits/beastkit.php
+usr/man/.man10 ! Beastkit rootkit ::rootkits/beastkit.php
+usr/sbin/arobia ! Beastkit rootkit ::rootkits/beastkit.php
+usr/lib/elm/arobia ! Beastkit rootkit ::rootkits/beastkit.php
+usr/local/bin/.../bktd ! Beastkit rootkit ::rootkits/beastkit.php
+
+# Tuxkit
+dev/tux ! Tuxkit rootkit ::rootkits/Tuxkit.php
+usr/bin/xsf ! Tuxkit rootkit ::rootkits/Tuxkit.php
+usr/bin/xchk ! Tuxkit rootkit ::rootkits/Tuxkit.php
+*/.file ! Tuxkit rootkit ::rootkits/Tuxkit.php
+*/.addr ! Tuxkit rootkit ::rootkits/Tuxkit.php
+
+# Old rootkits
+usr/include/rpc/ ../kit ! Old rootkits ::rootkits/Old.php
+usr/include/rpc/ ../kit2 ! Old rootkits ::rootkits/Old.php
+usr/doc/.sl ! Old rootkits ::rootkits/Old.php
+usr/doc/.sp ! Old rootkits ::rootkits/Old.php
+usr/doc/.statnet ! Old rootkits ::rootkits/Old.php
+usr/doc/.logdsys ! Old rootkits ::rootkits/Old.php
+usr/doc/.dpct ! Old rootkits ::rootkits/Old.php
+usr/doc/.gifnocfi ! Old rootkits ::rootkits/Old.php
+usr/doc/.dnif ! Old rootkits ::rootkits/Old.php
+usr/doc/.nigol ! Old rootkits ::rootkits/Old.php
+
+# Kenga3 rootkit
+usr/include/. . ! Kenga3 rootkit
+
+# ESRK rootkit
+usr/lib/tcl5.3 ! ESRK rootkit
+
+# Fu rootkit
+sbin/xc ! Fu rootkit
+usr/include/ivtype.h ! Fu rootkit
+bin/.lib ! Fu rootkit
+
+# ShKit rootkit
+lib/security/.config ! ShKit rootkit
+etc/ld.so.hash ! ShKit rootkit
+
+# AjaKit rootkit
+lib/.ligh.gh ! AjaKit rootkit
+lib/.libgh.gh ! AjaKit rootkit
+lib/.libgh-gh ! AjaKit rootkit
+dev/tux ! AjaKit rootkit
+dev/tux/.proc ! AjaKit rootkit
+dev/tux/.file ! AjaKit rootkit
+
+# zaRwT rootkit
+bin/imin ! zaRwT rootkit
+bin/imout ! zaRwT rootkit
+
+# Madalin rootkit
+usr/include/icekey.h ! Madalin rootkit
+usr/include/iceconf.h ! Madalin rootkit
+usr/include/iceseed.h ! Madalin rootkit
+
+# shv5 rootkit XXX http://www.askaboutskating.com/forum/.../shv5/setup
+lib/libsh.so ! shv5 rootkit
+usr/lib/libsh ! shv5 rootkit
+
+# BMBL rootkit (http://www.giac.com/practical/GSEC/Steve_Terrell_GSEC.pdf)
+etc/.bmbl ! BMBL rootkit
+etc/.bmbl/sk ! BMBL rootkit
+
+# rootedoor rootkit
+*/rootedoor ! Rootedoor rootkit
+
+# 0vason rootkit
+*/ovas0n ! ovas0n rootkit ::/rootkits/ovason.php
+*/ovason ! ovas0n rootkit ::/rootkits/ovason.php
+
+# Rpimp reverse telnet
+*/rpimp ! rpv21 (Reverse Pimpage)::/rootkits/rpimp.php
+
+# Cback Linux worm
+tmp/cback ! cback worm ::/rootkits/cback.php
+tmp/derfiq ! cback worm ::/rootkits/cback.php
+
+# aPa Kit (from rkhunter)
+usr/share/.aPa ! Apa Kit
+
+# enye-sec Rootkit
+etc/.enyelkmHIDE^IT.ko ! enye-sec Rootkit ::/rootkits/enye-sec.php
+
+# Override Rootkit
+dev/grid-hide-pid- ! Override rootkit ::/rootkits/override.php
+dev/grid-unhide-pid- ! Override rootkit ::/rootkits/override.php
+dev/grid-show-pids ! Override rootkit ::/rootkits/override.php
+dev/grid-hide-port- ! Override rootkit ::/rootkits/override.php
+dev/grid-unhide-port- ! Override rootkit ::/rootkits/override.php
+
+# PHALANX rootkit
+usr/share/.home* ! PHALANX rootkit ::
+usr/share/.home*/tty ! PHALANX rootkit ::
+etc/host.ph1 ! PHALANX rootkit ::
+bin/host.ph1 ! PHALANX rootkit ::
+
+# ZK rootkit (http://honeyblog.org/junkyard/reports/redhat-compromise2.pdf)
+# and from chkrootkit
+usr/share/.zk ! ZK rootkit ::
+usr/share/.zk/zk ! ZK rootkit ::
+etc/1ssue.net ! ZK rootkit ::
+usr/X11R6/.zk ! ZK rootkit ::
+usr/X11R6/.zk/xfs ! ZK rootkit ::
+usr/X11R6/.zk/echo ! ZK rootkit ::
+etc/sysconfig/console/load.zk ! ZK rootkit ::
+
+# Public sniffers
+*/.linux-sniff ! Sniffer log ::
+*/sniff-l0g ! Sniffer log ::
+*/core_$ ! Sniffer log ::
+*/tcp.log ! Sniffer log ::
+*/chipsul ! Sniffer log ::
+*/beshina ! Sniffer log ::
+*/.owned$ | Sniffer log ::
+
+# Solaris worm -
+# http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen
+var/adm/.profile ! Solaris Worm ::
+var/spool/lp/.profile ! Solaris Worm ::
+var/adm/sa/.adm ! Solaris Worm ::
+var/spool/lp/admins/.lp ! Solaris Worm ::
+
+# Suspicious files
+etc/rc.d/init.d/rc.modules ! Suspicious file ::rootkits/Suspicious.php
+lib/ldd.so ! Suspicious file ::rootkits/Suspicious.php
+usr/man/muie ! Suspicious file ::rootkits/Suspicious.php
+usr/X11R6/include/pain ! Suspicious file ::rootkits/Suspicious.php
+usr/bin/sourcemask ! Suspicious file ::rootkits/Suspicious.php
+usr/bin/ras2xm ! Suspicious file ::rootkits/Suspicious.php
+usr/bin/ddc ! Suspicious file ::rootkits/Suspicious.php
+usr/bin/jdc ! Suspicious file ::rootkits/Suspicious.php
+usr/sbin/in.telnet ! Suspicious file ::rootkits/Suspicious.php
+sbin/vobiscum ! Suspicious file ::rootkits/Suspicious.php
+usr/sbin/jcd ! Suspicious file ::rootkits/Suspicious.php
+usr/sbin/atd2 ! Suspicious file ::rootkits/Suspicious.php
+usr/bin/ishit ! Suspicious file ::rootkits/Suspicious.php
+usr/bin/.etc ! Suspicious file ::rootkits/Suspicious.php
+usr/bin/xstat ! Suspicious file ::rootkits/Suspicious.php
+var/run/.tmp ! Suspicious file ::rootkits/Suspicious.php
+usr/man/man1/lib/.lib ! Suspicious file ::rootkits/Suspicious.php
+usr/man/man2/.man8 ! Suspicious file ::rootkits/Suspicious.php
+var/run/.pid ! Suspicious file ::rootkits/Suspicious.php
+lib/.so ! Suspicious file ::rootkits/Suspicious.php
+lib/.fx ! Suspicious file ::rootkits/Suspicious.php
+lib/lblip.tk ! Suspicious file ::rootkits/Suspicious.php
+usr/lib/.fx ! Suspicious file ::rootkits/Suspicious.php
+var/local/.lpd ! Suspicious file ::rootkits/Suspicious.php
+dev/rd/cdb ! Suspicious file ::rootkits/Suspicious.php
+dev/.rd/ ! Suspicious file ::rootkits/Suspicious.php
+usr/lib/pt07 ! Suspicious file ::rootkits/Suspicious.php
+usr/bin/atm ! Suspicious file ::rootkits/Suspicious.php
+tmp/.cheese ! Suspicious file ::rootkits/Suspicious.php
+dev/.arctic ! Suspicious file ::rootkits/Suspicious.php
+dev/.xman ! Suspicious file ::rootkits/Suspicious.php
+dev/.golf ! Suspicious file ::rootkits/Suspicious.php
+dev/srd0 ! Suspicious file ::rootkits/Suspicious.php
+dev/ptyzx ! Suspicious file ::rootkits/Suspicious.php
+dev/ptyzg ! Suspicious file ::rootkits/Suspicious.php
+dev/xdf1 ! Suspicious file ::rootkits/Suspicious.php
+dev/ttyop ! Suspicious file ::rootkits/Suspicious.php
+dev/ttyof ! Suspicious file ::rootkits/Suspicious.php
+dev/hd7 ! Suspicious file ::rootkits/Suspicious.php
+dev/hdx1 ! Suspicious file ::rootkits/Suspicious.php
+dev/hdx2 ! Suspicious file ::rootkits/Suspicious.php
+dev/xdf2 ! Suspicious file ::rootkits/Suspicious.php
+dev/ptyp ! Suspicious file ::rootkits/Suspicious.php
+dev/ptyr ! Suspicious file ::rootkits/Suspicious.php
+sbin/pback ! Suspicious file ::rootkits/Suspicious.php
+usr/man/man3/psid ! Suspicious file ::rootkits/Suspicious.php
+proc/kset ! Suspicious file ::rootkits/Suspicious.php
+usr/bin/gib ! Suspicious file ::rootkits/Suspicious.php
+usr/bin/snick ! Suspicious file ::rootkits/Suspicious.php
+usr/bin/kfl ! Suspicious file ::rootkits/Suspicious.php
+tmp/.dump ! Suspicious file ::rootkits/Suspicious.php
+var/.x ! Suspicious file ::rootkits/Suspicious.php
+var/.x/psotnic ! Suspicious file ::rootkits/Suspicious.php
+*/.log ! Suspicious file ::rootkits/Suspicious.php
+*/ecmf ! Suspicious file ::rootkits/Suspicious.php
+*/mirkforce ! Suspicious file ::rootkits/Suspicious.php
+*/mfclean ! Suspicious file ::rootkits/Suspicious.php
projects / ossec-hids.git / blobdiff