--- /dev/null
+# rootkit_trojans.txt, (C) 2018 OSSEC Project
+# Imported from the rootcheck project.
+# Some entries taken from the chkrootkit project.
+#
+# Released under the same license as OSSEC.
+# More details at the LICENSE file included with OSSEC or online
+# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
+#
+# Blank lines and lines starting with '#' are ignored.
+#
+# Each line must be in the following format:
+# file_name !string_to_search!Description
+
+# Common binaries and public trojan entries
+ls !bash|^/bin/sh|dev/[^clu]|\.tmp/lsfile|duarawkz|/prof|/security|file\.h!
+env !bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh!
+echo !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
+chown !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
+chmod !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
+chgrp !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
+cat !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
+bash !proc\.h|/dev/[0-9]|/dev/[hijkz]!
+sh !proc\.h|/dev/[0-9]|/dev/[hijkz]!
+uname !bash|^/bin/sh|file\.h|proc\.h|^/bin/.*sh!
+date !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cln]|^/bin/.*sh!
+du !w0rm|/prof|file\.h!
+df !bash|^/bin/sh|file\.h|proc\.h|/dev/[^clurdv]|^/bin/.*sh!
+login !elite|SucKIT|xlogin|vejeta|porcao|lets_log|sukasuk!
+passwd !bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[b-s,uvxz]!
+mingetty !bash|Dimensioni|pacchetto!
+chfn !bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[a-s,uvxz]!
+chsh !bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[a-s,uvxz]!
+mail !bash|file\.h|proc\.h|/dev/[^nu]!
+su !/dev/[d-s,abuvxz]|/dev/[A-D]|/dev/[F-Z]|/dev/[0-9]|satori|vejeta|conf\.inv!
+sudo !satori|vejeta|conf\.inv!
+crond !/dev/[^nt]|bash!
+gpm !bash|mingetty!
+ifconfig !bash|^/bin/sh|/dev/tux|session.null|/dev/[^cludisopt]!
+diff !bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh!
+md5sum !bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh!
+hdparm !bash|/dev/ida!
+ldd !/dev/[^n]|proc\.h|libshow.so|libproc.a!
+
+# Trojan entries for troubleshooting binaries
+grep !bash|givemer!
+egrep !bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh!
+find !bash|/dev/[^tnlcs]|/prof|/home/virus|file\.h!
+lsof !/prof|/dev/[^apcmnfk]|proc\.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp!
+netstat !bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr\.h!
+top !/dev/[^npi3st%]|proc\.h|/prof/!
+ps !/dev/ttyo|\.1proc|proc\.h|bash|^/bin/sh!
+tcpdump !bash|^/bin/sh|file\.h|proc\.h|/dev/[^bu]|^/bin/.*sh!
+pidof !bash|^/bin/sh|file\.h|proc\.h|/dev/[^f]|^/bin/.*sh!
+fuser !bash|^/bin/sh|file\.h|proc\.h|/dev/[a-dtz]|^/bin/.*sh!
+w !uname -a|proc\.h|bash!
+
+# Trojan entries for common daemons
+sendmail !bash|fuck!
+named !bash|blah|/dev/[0-9]|^/bin/sh!
+inetd !bash|^/bin/sh|file\.h|proc\.h|/dev/[^un%]|^/bin/.*sh!
+apachectl !bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh!
+sshd !check_global_passwd|panasonic|satori|vejeta|\.ark|/hash\.zk|bash|/dev[a-s]|/dev[A-Z]/!
+syslogd !bash|/usr/lib/pt07|/dev/[^cln]]|syslogs\.h|proc\.h!
+xinetd !bash|file\.h|proc\.h!
+in.telnetd !cterm100|vt350|VT100|ansi-term|bash|^/bin/sh|/dev[A-R]|/dev/[a-z]/!
+in.fingerd !bash|^/bin/sh|cterm100|/dev/!
+identd !bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh!
+init !bash|/dev/h
+tcpd !bash|proc\.h|p1r0c4|hack|/dev/[^n]!
+rlogin !p1r0c4|r00t|bash|/dev/[^nt]!
+
+# Kill trojan
+killall !/dev/[^t%]|proc\.h|bash|tmp!
+kill !/dev/[ab,d-k,m-z]|/dev/[F-Z]|/dev/[A-D]|/dev/[0-9]|proc\.h|bash|tmp!
+
+# Rootkit entries
+/etc/rc.d/rc.sysinit !enyelkmHIDE! enye-sec Rootkit
+
+# ZK rootkit (http://honeyblog.org/junkyard/reports/redhat-compromise2.pdf)
+/etc/sysconfig/console/load.zk !/bin/sh! ZK rootkit
+/etc/sysconfig/console/load.zk !usr/bin/run! ZK rootkit
+
+# Modified /etc/hosts entries
+# Idea taken from:
+# http://blog.tenablesecurity.com/2006/12/detecting_compr.html
+# http://www.sophos.com/security/analyses/trojbagledll.html
+# http://www.f-secure.com/v-descs/fantibag_b.shtml
+/etc/hosts !^[^#]*avp.ch!Anti-virus site on the hosts file
+/etc/hosts !^[^#]*avp.ru!Anti-virus site on the hosts file
+/etc/hosts !^[^#]*awaps.net! Anti-virus site on the hosts file
+/etc/hosts !^[^#]*ca.com! Anti-virus site on the hosts file
+/etc/hosts !^[^#]*mcafee.com! Anti-virus site on the hosts file
+/etc/hosts !^[^#]*microsoft.com! Anti-virus site on the hosts file
+/etc/hosts !^[^#]*f-secure.com! Anti-virus site on the hosts file
+/etc/hosts !^[^#]*sophos.com! Anti-virus site on the hosts file
+/etc/hosts !^[^#]*symantec.com! Anti-virus site on the hosts file
+/etc/hosts !^[^#]*my-etrust.com! Anti-virus site on the hosts file
+/etc/hosts !^[^#]*nai.com! Anti-virus site on the hosts file
+/etc/hosts !^[^#]*networkassociates.com! Anti-virus site on the hosts file
+/etc/hosts !^[^#]*viruslist.ru! Anti-virus site on the hosts file
+/etc/hosts !^[^#]*kaspersky! Anti-virus site on the hosts file
+/etc/hosts !^[^#]*symantecliveupdate.com! Anti-virus site on the hosts file
+/etc/hosts !^[^#]*grisoft.com! Anti-virus site on the hosts file
+/etc/hosts !^[^#]*clamav.net! Anti-virus site on the hosts file
+/etc/hosts !^[^#]*bitdefender.com! Anti-virus site on the hosts file
+/etc/hosts !^[^#]*antivirus.com! Anti-virus site on the hosts file
+/etc/hosts !^[^#]*sans.org! Security site on the hosts file
projects / ossec-hids.git / blobdiff