X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=src%2Frootcheck%2Fdb%2Frootkit_trojans.txt;fp=src%2Frootcheck%2Fdb%2Frootkit_trojans.txt;h=669ef30502fee95cad083f657c029f36fb41afb3;hp=523770ccec215aea1f98dd1619ddb83e3e77833f;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b

diff --git a/src/rootcheck/db/rootkit_trojans.txt b/src/rootcheck/db/rootkit_trojans.txt
old mode 100755
new mode 100644
index 523770c..669ef30
--- a/src/rootcheck/db/rootkit_trojans.txt
+++ b/src/rootcheck/db/rootkit_trojans.txt
@@ -1,94 +1,85 @@
-# @(#) $Id: ./src/rootcheck/db/rootkit_trojans.txt, 2012/04/26 dcid Exp $
-
-#
-# rootkit_trojans.txt, (C) Daniel B. Cid
+# rootkit_trojans.txt, (C) 2018 OSSEC Project
 # Imported from the rootcheck project.
 # Some entries taken from the chkrootkit project.
 #
-# Lines starting with '#' are not going to be read (comments).
-# Blank lines are not going to be read too.
-# 
+# Released under the same license as OSSEC.
+# More details at the LICENSE file included with OSSEC or online
+# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
+#
+# Blank lines and lines starting with '#' are ignored.
+#
 # Each line must be in the following format:
 # file_name !string_to_search!Description
 
-# Commom binaries and public trojan entries
+# Common binaries and public trojan entries
 ls          !bash|^/bin/sh|dev/[^clu]|\.tmp/lsfile|duarawkz|/prof|/security|file\.h!
-env			!bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh!
-echo		!bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
-chown		!bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
-chmod		!bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
-chgrp		!bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
-cat			!bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
-bash		!proc\.h|/dev/[0-9]|/dev/[hijkz]!
-sh			!proc\.h|/dev/[0-9]|/dev/[hijkz]!
-uname		!bash|^/bin/sh|file\.h|proc\.h|^/bin/.*sh!
-date		!bash|^/bin/sh|file\.h|proc\.h|/dev/[^cln]|^/bin/.*sh!
-du			!w0rm|/prof|file\.h!
-df			!bash|^/bin/sh|file\.h|proc\.h|/dev/[^clurdv]|^/bin/.*sh!
-login      	!elite|SucKIT|xlogin|vejeta|porcao|lets_log|sukasuk!
-passwd		!bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[b-s,uvxz]!
-mingetty	!bash|Dimensioni|pacchetto!
-chfn		!bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[a-s,uvxz]!
-chsh		!bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[a-s,uvxz]!
-mail		!bash|file\.h|proc\.h|/dev/[^nu]!
-su			!/dev/[d-s,abuvxz]|/dev/[A-D]|/dev/[F-Z]|/dev/[0-9]|satori|vejeta|conf\.inv!
-sudo		!satori|vejeta|conf\.inv!
-crond		!/dev/[^nt]|bash!
-gpm			!bash|mingetty!
-ifconfig	!bash|^/bin/sh|/dev/tux|session.null|/dev/[^cludisopt]!
-diff		!bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh!
-md5sum		!bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh!
-hdparm		!bash|/dev/ida!
-ldd			!/dev/[^n]|proc\.h|libshow.so|libproc.a!
-
+env         !bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh!
+echo        !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
+chown       !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
+chmod       !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
+chgrp       !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
+cat         !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
+bash        !proc\.h|/dev/[0-9]|/dev/[hijkz]!
+sh          !proc\.h|/dev/[0-9]|/dev/[hijkz]!
+uname       !bash|^/bin/sh|file\.h|proc\.h|^/bin/.*sh!
+date        !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cln]|^/bin/.*sh!
+du          !w0rm|/prof|file\.h!
+df          !bash|^/bin/sh|file\.h|proc\.h|/dev/[^clurdv]|^/bin/.*sh!
+login       !elite|SucKIT|xlogin|vejeta|porcao|lets_log|sukasuk!
+passwd      !bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[b-s,uvxz]!
+mingetty    !bash|Dimensioni|pacchetto!
+chfn        !bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[a-s,uvxz]!
+chsh        !bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[a-s,uvxz]!
+mail        !bash|file\.h|proc\.h|/dev/[^nu]!
+su          !/dev/[d-s,abuvxz]|/dev/[A-D]|/dev/[F-Z]|/dev/[0-9]|satori|vejeta|conf\.inv!
+sudo        !satori|vejeta|conf\.inv!
+crond       !/dev/[^nt]|bash!
+gpm         !bash|mingetty!
+ifconfig    !bash|^/bin/sh|/dev/tux|session.null|/dev/[^cludisopt]!
+diff        !bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh!
+md5sum      !bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh!
+hdparm      !bash|/dev/ida!
+ldd         !/dev/[^n]|proc\.h|libshow.so|libproc.a!
 
 # Trojan entries for troubleshooting binaries
-
-grep        !bash|givemer|/dev/!
-egrep		!bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh!
-find		!bash|/dev/[^tnlcs]|/prof|/home/virus|file\.h!
-lsof		!/prof|/dev/[^apcmnfk]|proc\.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp!
-netstat		!bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr\.h!
-top			!/dev/[^npi3st%]|proc\.h|/prof/!
-ps			!/dev/ttyo|\.1proc|proc\.h|bash|^/bin/sh!
-tcpdump		!bash|^/bin/sh|file\.h|proc\.h|/dev/[^bu]|^/bin/.*sh!
-pidof		!bash|^/bin/sh|file\.h|proc\.h|/dev/[^f]|^/bin/.*sh!
-fuser		!bash|^/bin/sh|file\.h|proc\.h|/dev/[a-dtz]|^/bin/.*sh!
-w			!uname -a|proc\.h|bash!
-
+grep        !bash|givemer!
+egrep       !bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh!
+find        !bash|/dev/[^tnlcs]|/prof|/home/virus|file\.h!
+lsof        !/prof|/dev/[^apcmnfk]|proc\.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp!
+netstat     !bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr\.h!
+top         !/dev/[^npi3st%]|proc\.h|/prof/!
+ps          !/dev/ttyo|\.1proc|proc\.h|bash|^/bin/sh!
+tcpdump     !bash|^/bin/sh|file\.h|proc\.h|/dev/[^bu]|^/bin/.*sh!
+pidof       !bash|^/bin/sh|file\.h|proc\.h|/dev/[^f]|^/bin/.*sh!
+fuser       !bash|^/bin/sh|file\.h|proc\.h|/dev/[a-dtz]|^/bin/.*sh!
+w           !uname -a|proc\.h|bash!
 
 # Trojan entries for common daemons
-
-sendmail	!bash|fuck!
-named		!bash|blah|/dev/[0-9]|^/bin/sh!
-inetd		!bash|^/bin/sh|file\.h|proc\.h|/dev/[^un%]|^/bin/.*sh!
-apachectl	!bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh!
-sshd		!check_global_passwd|panasonic|satori|vejeta|\.ark|/hash\.zk|bash|/dev[a-s]|/dev[A-Z]/!
-syslogd		!bash|/usr/lib/pt07|/dev/[^cln]]|syslogs\.h|proc\.h!
-xinetd		!bash|file\.h|proc\.h!
-in.telnetd	!cterm100|vt350|VT100|ansi-term|bash|^/bin/sh|/dev[A-R]|/dev/[a-z]/!
-in.fingerd	!bash|^/bin/sh|cterm100|/dev/!
-identd		!bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh!
-init		!bash|/dev/h
-tcpd		!bash|proc\.h|p1r0c4|hack|/dev/[^n]!
-rlogin		!p1r0c4|r00t|bash|/dev/[^nt]!
-
+sendmail    !bash|fuck!
+named       !bash|blah|/dev/[0-9]|^/bin/sh!
+inetd       !bash|^/bin/sh|file\.h|proc\.h|/dev/[^un%]|^/bin/.*sh!
+apachectl   !bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh!
+sshd        !check_global_passwd|panasonic|satori|vejeta|\.ark|/hash\.zk|bash|/dev[a-s]|/dev[A-Z]/!
+syslogd     !bash|/usr/lib/pt07|/dev/[^cln]]|syslogs\.h|proc\.h!
+xinetd      !bash|file\.h|proc\.h!
+in.telnetd  !cterm100|vt350|VT100|ansi-term|bash|^/bin/sh|/dev[A-R]|/dev/[a-z]/!
+in.fingerd  !bash|^/bin/sh|cterm100|/dev/!
+identd      !bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh!
+init        !bash|/dev/h
+tcpd        !bash|proc\.h|p1r0c4|hack|/dev/[^n]!
+rlogin      !p1r0c4|r00t|bash|/dev/[^nt]!
 
 # Kill trojan
-
-killall		!/dev/[^t%]|proc\.h|bash|tmp!
-kill		!/dev/[ab,d-k,m-z]|/dev/[F-Z]|/dev/[A-D]|/dev/[0-9]|proc\.h|bash|tmp!
-
+killall     !/dev/[^t%]|proc\.h|bash|tmp!
+kill        !/dev/[ab,d-k,m-z]|/dev/[F-Z]|/dev/[A-D]|/dev/[0-9]|proc\.h|bash|tmp!
 
 # Rootkit entries
 /etc/rc.d/rc.sysinit    !enyelkmHIDE! enye-sec Rootkit
 
-
 # ZK rootkit (http://honeyblog.org/junkyard/reports/redhat-compromise2.pdf)
 /etc/sysconfig/console/load.zk   !/bin/sh! ZK rootkit
 /etc/sysconfig/console/load.zk   !usr/bin/run! ZK rootkit
 
-
 # Modified /etc/hosts entries
 # Idea taken from:
 # http://blog.tenablesecurity.com/2006/12/detecting_compr.html
@@ -114,5 +105,3 @@ kill		!/dev/[ab,d-k,m-z]|/dev/[F-Z]|/dev/[A-D]|/dev/[0-9]|proc\.h|bash|tmp!
 /etc/hosts  !^[^#]*bitdefender.com! Anti-virus site on the hosts file
 /etc/hosts  !^[^#]*antivirus.com! Anti-virus site on the hosts file
 /etc/hosts  !^[^#]*sans.org! Security site on the hosts file
-
-# EOF #