-# @(#) $Id$
-#
-# rootkit_trojans.txt, (C) Daniel B. Cid
+# rootkit_trojans.txt, (C) 2018 OSSEC Project
# Imported from the rootcheck project.
# Some entries taken from the chkrootkit project.
#
-# Lines starting with '#' are not going to be read (comments).
-# Blank lines are not going to be read too.
-#
+# Released under the same license as OSSEC.
+# More details at the LICENSE file included with OSSEC or online
+# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
+#
+# Blank lines and lines starting with '#' are ignored.
+#
# Each line must be in the following format:
# file_name !string_to_search!Description
-# Commom binaries and public trojan entries
+# Common binaries and public trojan entries
ls !bash|^/bin/sh|dev/[^clu]|\.tmp/lsfile|duarawkz|/prof|/security|file\.h!
-env !bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh!
-echo !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
-chown !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
-chmod !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
-chgrp !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
-cat !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
-bash !proc\.h|/dev/[0-9]|/dev/[hijkz]!
-sh !proc\.h|/dev/[0-9]|/dev/[hijkz]!
-uname !bash|^/bin/sh|file\.h|proc\.h|^/bin/.*sh!
-date !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cln]|^/bin/.*sh!
-du !w0rm|/prof|file\.h!
-df !bash|^/bin/sh|file\.h|proc\.h|/dev/[^clurdv]|^/bin/.*sh!
-login !elite|SucKIT|xlogin|vejeta|porcao|lets_log|sukasuk!
-passwd !bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[b-s,uvxz]!
-mingetty !bash|Dimensioni|pacchetto!
-chfn !bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[a-s,uvxz]!
-chsh !bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[a-s,uvxz]!
-mail !bash|file\.h|proc\.h|/dev/[^nu]!
-su !/dev/[d-s,abuvxz]|/dev/[A-D]|/dev/[F-Z]|/dev/[0-9]|satori|vejeta|conf\.inv!
-sudo !satori|vejeta|conf\.inv!
-crond !/dev/[^nt]|bash!
-gpm !bash|mingetty!
-ifconfig !bash|^/bin/sh|/dev/tux|session.null|/dev/[^cludisopt]!
-diff !bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh!
-md5sum !bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh!
-hdparm !bash|/dev/ida!
-ldd !/dev/[^n]|proc\.h|libshow.so|libproc.a!
-
+env !bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh!
+echo !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
+chown !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
+chmod !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
+chgrp !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
+cat !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
+bash !proc\.h|/dev/[0-9]|/dev/[hijkz]!
+sh !proc\.h|/dev/[0-9]|/dev/[hijkz]!
+uname !bash|^/bin/sh|file\.h|proc\.h|^/bin/.*sh!
+date !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cln]|^/bin/.*sh!
+du !w0rm|/prof|file\.h!
+df !bash|^/bin/sh|file\.h|proc\.h|/dev/[^clurdv]|^/bin/.*sh!
+login !elite|SucKIT|xlogin|vejeta|porcao|lets_log|sukasuk!
+passwd !bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[b-s,uvxz]!
+mingetty !bash|Dimensioni|pacchetto!
+chfn !bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[a-s,uvxz]!
+chsh !bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[a-s,uvxz]!
+mail !bash|file\.h|proc\.h|/dev/[^nu]!
+su !/dev/[d-s,abuvxz]|/dev/[A-D]|/dev/[F-Z]|/dev/[0-9]|satori|vejeta|conf\.inv!
+sudo !satori|vejeta|conf\.inv!
+crond !/dev/[^nt]|bash!
+gpm !bash|mingetty!
+ifconfig !bash|^/bin/sh|/dev/tux|session.null|/dev/[^cludisopt]!
+diff !bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh!
+md5sum !bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh!
+hdparm !bash|/dev/ida!
+ldd !/dev/[^n]|proc\.h|libshow.so|libproc.a!
# Trojan entries for troubleshooting binaries
-
-grep !bash|givemer|/dev/!
-egrep !bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh!
-find !bash|/dev/[^tnlcs]|/prof|/home/virus|file\.h!
-lsof !/prof|/dev/[^apcmnfk]|proc\.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp!
-netstat !bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr\.h!
-top !/dev/[^npi3st%]|proc\.h|/prof/!
-ps !/dev/ttyo|\.1proc|proc\.h|bash|^/bin/sh!
-tcpdump !bash|^/bin/sh|file\.h|proc\.h|/dev/[^bu]|^/bin/.*sh!
-pidof !bash|^/bin/sh|file\.h|proc\.h|/dev/[^f]|^/bin/.*sh!
-fuser !bash|^/bin/sh|file\.h|proc\.h|/dev/[a-dtz]|^/bin/.*sh!
-w !uname -a|proc\.h|bash!
-
+grep !bash|givemer!
+egrep !bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh!
+find !bash|/dev/[^tnlcs]|/prof|/home/virus|file\.h!
+lsof !/prof|/dev/[^apcmnfk]|proc\.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp!
+netstat !bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr\.h!
+top !/dev/[^npi3st%]|proc\.h|/prof/!
+ps !/dev/ttyo|\.1proc|proc\.h|bash|^/bin/sh!
+tcpdump !bash|^/bin/sh|file\.h|proc\.h|/dev/[^bu]|^/bin/.*sh!
+pidof !bash|^/bin/sh|file\.h|proc\.h|/dev/[^f]|^/bin/.*sh!
+fuser !bash|^/bin/sh|file\.h|proc\.h|/dev/[a-dtz]|^/bin/.*sh!
+w !uname -a|proc\.h|bash!
# Trojan entries for common daemons
-
-sendmail !bash|fuck!
-named !bash|blah|/dev/[0-9]|^/bin/sh!
-inetd !bash|^/bin/sh|file\.h|proc\.h|/dev/[^un%]|^/bin/.*sh!
-apachectl !bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh!
-sshd !check_global_passwd|panasonic|satori|vejeta|\.ark|/hash\.zk|bash|/dev[a-s]|/dev[A-Z]/!
-syslogd !bash|/usr/lib/pt07|/dev/[^cln]]|syslogs\.h|proc\.h!
-xinetd !bash|file\.h|proc\.h!
-in.telnetd !cterm100|vt350|VT100|ansi-term|bash|^/bin/sh|/dev[A-R]|/dev/[a-z]/!
-in.fingerd !bash|^/bin/sh|cterm100|/dev/!
-identd !bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh!
-init !bash|/dev/h|HOME!
-tcpd !bash|proc\.h|p1r0c4|hack|/dev/[^n]!
-rlogin !p1r0c4|r00t|bash|/dev/[^nt]!
-
+sendmail !bash|fuck!
+named !bash|blah|/dev/[0-9]|^/bin/sh!
+inetd !bash|^/bin/sh|file\.h|proc\.h|/dev/[^un%]|^/bin/.*sh!
+apachectl !bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh!
+sshd !check_global_passwd|panasonic|satori|vejeta|\.ark|/hash\.zk|bash|/dev[a-s]|/dev[A-Z]/!
+syslogd !bash|/usr/lib/pt07|/dev/[^cln]]|syslogs\.h|proc\.h!
+xinetd !bash|file\.h|proc\.h!
+in.telnetd !cterm100|vt350|VT100|ansi-term|bash|^/bin/sh|/dev[A-R]|/dev/[a-z]/!
+in.fingerd !bash|^/bin/sh|cterm100|/dev/!
+identd !bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh!
+init !bash|/dev/h
+tcpd !bash|proc\.h|p1r0c4|hack|/dev/[^n]!
+rlogin !p1r0c4|r00t|bash|/dev/[^nt]!
# Kill trojan
-
-killall !/dev/[^t%]|proc\.h|bash|tmp!
-kill !/dev/[ab,d-k,m-z]|/dev/[F-Z]|/dev/[A-D]|/dev/[0-9]|proc\.h|bash|tmp!
-
+killall !/dev/[^t%]|proc\.h|bash|tmp!
+kill !/dev/[ab,d-k,m-z]|/dev/[F-Z]|/dev/[A-D]|/dev/[0-9]|proc\.h|bash|tmp!
# Rootkit entries
-/sbin/init !HOME! Suckit rootkit
-/proc/1/maps !init.! Suckit rootkit
/etc/rc.d/rc.sysinit !enyelkmHIDE! enye-sec Rootkit
-
# ZK rootkit (http://honeyblog.org/junkyard/reports/redhat-compromise2.pdf)
/etc/sysconfig/console/load.zk !/bin/sh! ZK rootkit
/etc/sysconfig/console/load.zk !usr/bin/run! ZK rootkit
-
# Modified /etc/hosts entries
# Idea taken from:
# http://blog.tenablesecurity.com/2006/12/detecting_compr.html
/etc/hosts !^[^#]*bitdefender.com! Anti-virus site on the hosts file
/etc/hosts !^[^#]*antivirus.com! Anti-virus site on the hosts file
/etc/hosts !^[^#]*sans.org! Security site on the hosts file
-
-# EOF #