-# @(#) $Id: rootkit_trojans.txt,v 1.20 2009/06/03 19:18:32 dcid Exp $
+# @(#) $Id: ./src/rootcheck/db/rootkit_trojans.txt, 2012/04/26 dcid Exp $
+
#
# rootkit_trojans.txt, (C) Daniel B. Cid
# Imported from the rootcheck project.
sh !proc\.h|/dev/[0-9]|/dev/[hijkz]!
uname !bash|^/bin/sh|file\.h|proc\.h|^/bin/.*sh!
date !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cln]|^/bin/.*sh!
-du !/dev|w0rm|/prof|file\.h!
+du !w0rm|/prof|file\.h!
df !bash|^/bin/sh|file\.h|proc\.h|/dev/[^clurdv]|^/bin/.*sh!
-login !bash|elite|SucKIT|xlogin|vejeta|porcao|lets_log|sukasuk!
+login !elite|SucKIT|xlogin|vejeta|porcao|lets_log|sukasuk!
passwd !bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[b-s,uvxz]!
mingetty !bash|Dimensioni|pacchetto!
chfn !bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[a-s,uvxz]!
chsh !bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[a-s,uvxz]!
mail !bash|file\.h|proc\.h|/dev/[^nu]!
-su !bash|/dev/[d-s,abuvxz]|/dev/[A-D]|/dev/[F-Z]|/dev/[0-9]|satori|vejeta|conf\.inv!
-sudo !bash|satori|vejeta|conf\.inv!
+su !/dev/[d-s,abuvxz]|/dev/[A-D]|/dev/[F-Z]|/dev/[0-9]|satori|vejeta|conf\.inv!
+sudo !satori|vejeta|conf\.inv!
crond !/dev/[^nt]|bash!
gpm !bash|mingetty!
ifconfig !bash|^/bin/sh|/dev/tux|session.null|/dev/[^cludisopt]!
in.telnetd !cterm100|vt350|VT100|ansi-term|bash|^/bin/sh|/dev[A-R]|/dev/[a-z]/!
in.fingerd !bash|^/bin/sh|cterm100|/dev/!
identd !bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh!
-init !bash|/dev/h|HOME!
+init !bash|/dev/h
tcpd !bash|proc\.h|p1r0c4|hack|/dev/[^n]!
rlogin !p1r0c4|r00t|bash|/dev/[^nt]!
# Rootkit entries
-/sbin/init !HOME! Suckit rootkit
-/proc/1/maps !init.! Suckit rootkit
/etc/rc.d/rc.sysinit !enyelkmHIDE! enye-sec Rootkit