-# @(#) $Id: rootkit_trojans.txt,v 1.20 2009/06/03 19:18:32 dcid Exp $
+# @(#) $Id$
#
# rootkit_trojans.txt, (C) Daniel B. Cid
# Imported from the rootcheck project.
sh !proc\.h|/dev/[0-9]|/dev/[hijkz]!
uname !bash|^/bin/sh|file\.h|proc\.h|^/bin/.*sh!
date !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cln]|^/bin/.*sh!
-du !/dev|w0rm|/prof|file\.h!
+du !w0rm|/prof|file\.h!
df !bash|^/bin/sh|file\.h|proc\.h|/dev/[^clurdv]|^/bin/.*sh!
-login !bash|elite|SucKIT|xlogin|vejeta|porcao|lets_log|sukasuk!
+login !elite|SucKIT|xlogin|vejeta|porcao|lets_log|sukasuk!
passwd !bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[b-s,uvxz]!
mingetty !bash|Dimensioni|pacchetto!
chfn !bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[a-s,uvxz]!
chsh !bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[a-s,uvxz]!
mail !bash|file\.h|proc\.h|/dev/[^nu]!
-su !bash|/dev/[d-s,abuvxz]|/dev/[A-D]|/dev/[F-Z]|/dev/[0-9]|satori|vejeta|conf\.inv!
-sudo !bash|satori|vejeta|conf\.inv!
+su !/dev/[d-s,abuvxz]|/dev/[A-D]|/dev/[F-Z]|/dev/[0-9]|satori|vejeta|conf\.inv!
+sudo !satori|vejeta|conf\.inv!
crond !/dev/[^nt]|bash!
gpm !bash|mingetty!
ifconfig !bash|^/bin/sh|/dev/tux|session.null|/dev/[^cludisopt]!
projects / ossec-hids.git / blobdiff