X-Git-Url: http://ftp.carnet.hr/pub/carnet-debian/scm?a=blobdiff_plain;f=debian%2Fossec-hids%2Fvar%2Fossec%2Fetc%2Fshared%2Frootkit_files.txt;fp=debian%2Fossec-hids%2Fvar%2Fossec%2Fetc%2Fshared%2Frootkit_files.txt;h=ae84c5b707150aee0b24bc07e5be5ae6c3ef7ca7;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hp=0000000000000000000000000000000000000000;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b;p=ossec-hids.git diff --git a/debian/ossec-hids/var/ossec/etc/shared/rootkit_files.txt b/debian/ossec-hids/var/ossec/etc/shared/rootkit_files.txt new file mode 100644 index 0000000..ae84c5b --- /dev/null +++ b/debian/ossec-hids/var/ossec/etc/shared/rootkit_files.txt @@ -0,0 +1,407 @@ +# rootkit_files.txt, (C) 2018 OSSEC Project +# Imported from the rootcheck project. +# +# Released under the same license as OSSEC. +# More details at the LICENSE file included with OSSEC or online +# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE +# +# Blank lines and lines starting with '#' are ignored. +# +# Each line must be in the following format: +# file_name ! Name ::Link to it +# +# Files that start with an '*' will be searched in the whole system. + +# Bash door +tmp/mcliZokhb ! Bash door ::/rootkits/bashdoor.php +tmp/mclzaKmfa ! Bash door ::/rootkits/bashdoor.php + +# adore Worm +dev/.shit/red.tgz ! Adore Worm ::/rootkits/adorew.php +usr/lib/libt ! Adore Worm ::/rootkits/adorew.php +usr/bin/adore ! Adore Worm ::/rootkits/adorew.php +*/klogd.o ! Adore Worm ::/rootkits/adorew.php +*/red.tar ! Adore Worm ::/rootkits/adorew.php + +# T.R.K rootkit +usr/bin/soucemask ! TRK rootkit ::/rootkits/trk.php +usr/bin/sourcemask ! TRK rootkit ::/rootkits/trk.php + +# 55.808.A Worm +tmp/.../a ! 55808.A Worm :: +tmp/.../r ! 55808.A Worm :: + +# Volc Rootkit +usr/lib/volc ! Volc Rootkit :: +usr/bin/volc ! Volc Rootkit :: + +# Illogic +lib/security/.config ! Illogic Rootkit ::rootkits/illogic.php +usr/bin/sia ! Illogic Rootkit ::rootkits/illogic.php +etc/ld.so.hash ! Illogic Rootkit ::rootkits/illogic.php +*/uconf.inv ! Illogic Rootkit ::rootkits/illogic.php + +# T0rnkit +usr/src/.puta ! t0rn Rootkit ::rootkits/torn.php +usr/info/.t0rn ! t0rn Rootkit ::rootkits/torn.php +lib/ldlib.tk ! t0rn Rootkit ::rootkits/torn.php +etc/ttyhash ! t0rn Rootkit ::rootkits/torn.php +sbin/xlogin ! t0rn Rootkit ::rootkits/torn.php +*/ldlib.tk ! t0rn Rootkit ::rootkits/torn.php +*/.t0rn ! t0rn Rootkit ::rootkits/torn.php +*/.puta ! t0rn Rootkit ::rootkits/torn.php + +# RK17 +bin/rtty ! RK17 :: +bin/squit ! RK17 :: +sbin/pback ! RK17 :: +proc/kset ! RK17 :: +usr/src/linux/modules/autod.o ! RK17 :: +usr/src/linux/modules/soundx.o ! RK17 :: + +# Ramen Worm +usr/lib/ldlibps.so ! Ramen Worm ::rootkits/ramen.php +usr/lib/ldlibns.so ! Ramen Worm ::rootkits/ramen.php +usr/lib/ldliblogin.so ! Ramen Worm ::rootkits/ramen.php +usr/src/.poop ! Ramen Worm ::rootkits/ramen.php +tmp/ramen.tgz ! Ramen Worm ::rootkits/ramen.php +etc/xinetd.d/asp ! Ramen Worm ::rootkits/ramen.php + +# Sadmind/IIS Worm +dev/cuc ! Sadmind/IIS Worm :: + +# Monkit +lib/defs ! Monkit :: +usr/lib/libpikapp.a ! Monkit found :: + +# RSHA +usr/bin/kr4p ! RSHA :: +usr/bin/n3tstat ! RSHA :: +usr/bin/chsh2 ! RSHA :: +usr/bin/slice2 ! RSHA :: +etc/rc.d/rsha ! RSHA :: + +# ShitC worm +bin/home ! ShitC :: +sbin/home ! ShitC :: +usr/sbin/in.slogind ! ShitC :: + +# Omega Worm +dev/chr ! Omega Worm :: + +# rh-sharpe +bin/.ps ! Rh-Sharpe :: +usr/bin/cleaner ! Rh-Sharpe :: +usr/bin/slice ! Rh-Sharpe :: +usr/bin/vadim ! Rh-Sharpe :: +usr/bin/.ps ! Rh-Sharpe :: +bin/.lpstree ! Rh-Sharpe :: +usr/bin/.lpstree ! Rh-Sharpe :: +usr/bin/lnetstat ! Rh-Sharpe :: +bin/lnetstat ! Rh-Sharpe :: +usr/bin/ldu ! Rh-Sharpe :: +bin/ldu ! Rh-Sharpe :: +usr/bin/lkillall ! Rh-Sharpe :: +bin/lkillall ! Rh-Sharpe :: +usr/include/rpcsvc/du ! Rh-Sharpe :: + +# Maniac RK +usr/bin/mailrc ! Maniac RK :: + +# Showtee / Romanian +usr/lib/.egcs ! Showtee :: +usr/lib/.wormie ! Showtee :: +usr/lib/.kinetic ! Showtee :: +usr/lib/liblog.o ! Showtee :: +usr/include/addr.h ! Showtee / Romanian rootkit :: +usr/include/cron.h ! Showtee :: +usr/include/file.h ! Showtee / Romanian rootkit :: +usr/include/syslogs.h ! Showtee / Romanian rootkit :: +usr/include/proc.h ! Showtee / Romanian rootkit :: +usr/include/chk.h ! Showtee :: +usr/sbin/initdl ! Romanian rootkit :: +usr/sbin/xntps ! Romanian rootkit :: + +# Optickit +usr/bin/xchk ! Optickit :: +usr/bin/xsf ! Optickit :: + +# LDP worm +dev/.kork ! LDP Worm :: +bin/.login ! LDP Worm :: +bin/.ps ! LDP Worm :: + +# Telekit +dev/hda06 ! TeLeKit trojan :: +usr/info/libc1.so ! TeleKit trojan :: + +# Tribe bot +dev/wd4 ! Tribe bot :: + +# LRK +dev/ida/.inet ! LRK rootkit ::rootkits/lrk.php +*/bindshell ! LRK rootkit ::rootkits/lrk.php + +# Adore Rootkit +etc/bin/ava ! Adore Rootkit :: +etc/sbin/ava ! Adore Rootkit :: + +# Slapper +tmp/.bugtraq ! Slapper installed :: +tmp/.bugtraq.c ! Slapper installed :: +tmp/.cinik ! Slapper installed :: +tmp/.b ! Slapper installed :: +tmp/httpd ! Slapper installed :: +tmp./update ! Slapper installed :: +tmp/.unlock ! Slapper installed :: +tmp/.font-unix/.cinik ! Slapper installed :: +tmp/.cinik ! Slapper installed :: + +# Scalper +tmp/.uua ! Scalper installed :: +tmp/.a ! Scalper installed :: + +# Knark +proc/knark ! Knark Installed ::rootkits/knark.php +dev/.pizda ! Knark Installed ::rootkits/knark.php +dev/.pula ! Knark Installed ::rootkits/knark.php +dev/.pula ! Knark Installed ::rootkits/knark.php +*/taskhack ! Knark Installed ::rootkits/knark.php +*/rootme ! Knark Installed ::rootkits/knark.php +*/nethide ! Knark Installed ::rootkits/knark.php +*/hidef ! Knark Installed ::rootkits/knark.php +*/ered ! Knark Installed ::rootkits/knark.php + +# Lion worm +dev/.lib ! Lion Worm ::rootkits/lion.php +dev/.lib/1iOn.sh ! Lion Worm ::rootkits/lion.php +bin/mjy ! Lion Worm ::rootkits/lion.php +bin/in.telnetd ! Lion Worm ::rootkits/lion.php +usr/info/torn ! Lion Worm ::rootkits/lion.php +*/1iOn\.sh ! Lion Worm ::rootkits/lion.php + +# Bobkit +usr/include/.../ ! Bobkit Rootkit ::rootkits/bobkit.php +usr/lib/.../ ! Bobkit Rootkit ::rootkits/bobkit.php +usr/sbin/.../ ! Bobkit Rootkit ::rootkits/bobkit.php +usr/bin/ntpsx ! Bobkit Rootkit ::rootkits/bobkit.php +tmp/.bkp ! Bobkit Rootkit ::rootkits/bobkit.php +usr/lib/.bkit- ! Bobkit Rootkit ::rootkits/bobkit.php +*/bkit- ! Bobkit Rootkit ::rootkits/bobkit.php + +# Hidrootkit +var/lib/games/.k ! Hidr00tkit :: + +# Ark +dev/ptyxx ! Ark rootkit :: + +# Mithra Rootkit +usr/lib/locale/uboot ! Mithra`s rootkit :: + +# Optickit +usr/bin/xsf ! OpticKit :: +usr/bin/xchk ! OpticKit :: + +# LOC rookit +tmp/xp ! LOC rookit :: +tmp/kidd0.c ! LOC rookit :: +tmp/kidd0 ! LOC rookit :: + +# TC2 worm +usr/info/.tc2k ! TC2 Worm :: +usr/bin/util ! TC2 Worm :: +usr/sbin/initcheck ! TC2 Worm :: +usr/sbin/ldb ! TC2 Worm :: + +# Anonoiyng rootkit +usr/sbin/mech ! Anonoiyng rootkit :: +usr/sbin/kswapd ! Anonoiyng rootkit :: + +# SuckIt +lib/.x ! SuckIt rootkit :: +*/hide.log ! Suckit rootkit :: +lib/sk ! SuckIT rootkit :: + +# Beastkit +usr/local/bin/bin ! Beastkit rootkit ::rootkits/beastkit.php +usr/man/.man10 ! Beastkit rootkit ::rootkits/beastkit.php +usr/sbin/arobia ! Beastkit rootkit ::rootkits/beastkit.php +usr/lib/elm/arobia ! Beastkit rootkit ::rootkits/beastkit.php +usr/local/bin/.../bktd ! Beastkit rootkit ::rootkits/beastkit.php + +# Tuxkit +dev/tux ! Tuxkit rootkit ::rootkits/Tuxkit.php +usr/bin/xsf ! Tuxkit rootkit ::rootkits/Tuxkit.php +usr/bin/xchk ! Tuxkit rootkit ::rootkits/Tuxkit.php +*/.file ! Tuxkit rootkit ::rootkits/Tuxkit.php +*/.addr ! Tuxkit rootkit ::rootkits/Tuxkit.php + +# Old rootkits +usr/include/rpc/ ../kit ! Old rootkits ::rootkits/Old.php +usr/include/rpc/ ../kit2 ! Old rootkits ::rootkits/Old.php +usr/doc/.sl ! Old rootkits ::rootkits/Old.php +usr/doc/.sp ! Old rootkits ::rootkits/Old.php +usr/doc/.statnet ! Old rootkits ::rootkits/Old.php +usr/doc/.logdsys ! Old rootkits ::rootkits/Old.php +usr/doc/.dpct ! Old rootkits ::rootkits/Old.php +usr/doc/.gifnocfi ! Old rootkits ::rootkits/Old.php +usr/doc/.dnif ! Old rootkits ::rootkits/Old.php +usr/doc/.nigol ! Old rootkits ::rootkits/Old.php + +# Kenga3 rootkit +usr/include/. . ! Kenga3 rootkit + +# ESRK rootkit +usr/lib/tcl5.3 ! ESRK rootkit + +# Fu rootkit +sbin/xc ! Fu rootkit +usr/include/ivtype.h ! Fu rootkit +bin/.lib ! Fu rootkit + +# ShKit rootkit +lib/security/.config ! ShKit rootkit +etc/ld.so.hash ! ShKit rootkit + +# AjaKit rootkit +lib/.ligh.gh ! AjaKit rootkit +lib/.libgh.gh ! AjaKit rootkit +lib/.libgh-gh ! AjaKit rootkit +dev/tux ! AjaKit rootkit +dev/tux/.proc ! AjaKit rootkit +dev/tux/.file ! AjaKit rootkit + +# zaRwT rootkit +bin/imin ! zaRwT rootkit +bin/imout ! zaRwT rootkit + +# Madalin rootkit +usr/include/icekey.h ! Madalin rootkit +usr/include/iceconf.h ! Madalin rootkit +usr/include/iceseed.h ! Madalin rootkit + +# shv5 rootkit XXX http://www.askaboutskating.com/forum/.../shv5/setup +lib/libsh.so ! shv5 rootkit +usr/lib/libsh ! shv5 rootkit + +# BMBL rootkit (http://www.giac.com/practical/GSEC/Steve_Terrell_GSEC.pdf) +etc/.bmbl ! BMBL rootkit +etc/.bmbl/sk ! BMBL rootkit + +# rootedoor rootkit +*/rootedoor ! Rootedoor rootkit + +# 0vason rootkit +*/ovas0n ! ovas0n rootkit ::/rootkits/ovason.php +*/ovason ! ovas0n rootkit ::/rootkits/ovason.php + +# Rpimp reverse telnet +*/rpimp ! rpv21 (Reverse Pimpage)::/rootkits/rpimp.php + +# Cback Linux worm +tmp/cback ! cback worm ::/rootkits/cback.php +tmp/derfiq ! cback worm ::/rootkits/cback.php + +# aPa Kit (from rkhunter) +usr/share/.aPa ! Apa Kit + +# enye-sec Rootkit +etc/.enyelkmHIDE^IT.ko ! enye-sec Rootkit ::/rootkits/enye-sec.php + +# Override Rootkit +dev/grid-hide-pid- ! Override rootkit ::/rootkits/override.php +dev/grid-unhide-pid- ! Override rootkit ::/rootkits/override.php +dev/grid-show-pids ! Override rootkit ::/rootkits/override.php +dev/grid-hide-port- ! Override rootkit ::/rootkits/override.php +dev/grid-unhide-port- ! Override rootkit ::/rootkits/override.php + +# PHALANX rootkit +usr/share/.home* ! PHALANX rootkit :: +usr/share/.home*/tty ! PHALANX rootkit :: +etc/host.ph1 ! PHALANX rootkit :: +bin/host.ph1 ! PHALANX rootkit :: + +# ZK rootkit (http://honeyblog.org/junkyard/reports/redhat-compromise2.pdf) +# and from chkrootkit +usr/share/.zk ! ZK rootkit :: +usr/share/.zk/zk ! ZK rootkit :: +etc/1ssue.net ! ZK rootkit :: +usr/X11R6/.zk ! ZK rootkit :: +usr/X11R6/.zk/xfs ! ZK rootkit :: +usr/X11R6/.zk/echo ! ZK rootkit :: +etc/sysconfig/console/load.zk ! ZK rootkit :: + +# Public sniffers +*/.linux-sniff ! Sniffer log :: +*/sniff-l0g ! Sniffer log :: +*/core_$ ! Sniffer log :: +*/tcp.log ! Sniffer log :: +*/chipsul ! Sniffer log :: +*/beshina ! Sniffer log :: +*/.owned$ | Sniffer log :: + +# Solaris worm - +# http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen +var/adm/.profile ! Solaris Worm :: +var/spool/lp/.profile ! Solaris Worm :: +var/adm/sa/.adm ! Solaris Worm :: +var/spool/lp/admins/.lp ! Solaris Worm :: + +# Suspicious files +etc/rc.d/init.d/rc.modules ! Suspicious file ::rootkits/Suspicious.php +lib/ldd.so ! Suspicious file ::rootkits/Suspicious.php +usr/man/muie ! Suspicious file ::rootkits/Suspicious.php +usr/X11R6/include/pain ! Suspicious file ::rootkits/Suspicious.php +usr/bin/sourcemask ! Suspicious file ::rootkits/Suspicious.php +usr/bin/ras2xm ! Suspicious file ::rootkits/Suspicious.php +usr/bin/ddc ! Suspicious file ::rootkits/Suspicious.php +usr/bin/jdc ! Suspicious file ::rootkits/Suspicious.php +usr/sbin/in.telnet ! Suspicious file ::rootkits/Suspicious.php +sbin/vobiscum ! Suspicious file ::rootkits/Suspicious.php +usr/sbin/jcd ! Suspicious file ::rootkits/Suspicious.php +usr/sbin/atd2 ! Suspicious file ::rootkits/Suspicious.php +usr/bin/ishit ! Suspicious file ::rootkits/Suspicious.php +usr/bin/.etc ! Suspicious file ::rootkits/Suspicious.php +usr/bin/xstat ! Suspicious file ::rootkits/Suspicious.php +var/run/.tmp ! Suspicious file ::rootkits/Suspicious.php +usr/man/man1/lib/.lib ! Suspicious file ::rootkits/Suspicious.php +usr/man/man2/.man8 ! Suspicious file ::rootkits/Suspicious.php +var/run/.pid ! Suspicious file ::rootkits/Suspicious.php +lib/.so ! Suspicious file ::rootkits/Suspicious.php +lib/.fx ! Suspicious file ::rootkits/Suspicious.php +lib/lblip.tk ! Suspicious file ::rootkits/Suspicious.php +usr/lib/.fx ! Suspicious file ::rootkits/Suspicious.php +var/local/.lpd ! Suspicious file ::rootkits/Suspicious.php +dev/rd/cdb ! Suspicious file ::rootkits/Suspicious.php +dev/.rd/ ! Suspicious file ::rootkits/Suspicious.php +usr/lib/pt07 ! Suspicious file ::rootkits/Suspicious.php +usr/bin/atm ! Suspicious file ::rootkits/Suspicious.php +tmp/.cheese ! Suspicious file ::rootkits/Suspicious.php +dev/.arctic ! Suspicious file ::rootkits/Suspicious.php +dev/.xman ! Suspicious file ::rootkits/Suspicious.php +dev/.golf ! Suspicious file ::rootkits/Suspicious.php +dev/srd0 ! Suspicious file ::rootkits/Suspicious.php +dev/ptyzx ! Suspicious file ::rootkits/Suspicious.php +dev/ptyzg ! Suspicious file ::rootkits/Suspicious.php +dev/xdf1 ! Suspicious file ::rootkits/Suspicious.php +dev/ttyop ! Suspicious file ::rootkits/Suspicious.php +dev/ttyof ! Suspicious file ::rootkits/Suspicious.php +dev/hd7 ! Suspicious file ::rootkits/Suspicious.php +dev/hdx1 ! Suspicious file ::rootkits/Suspicious.php +dev/hdx2 ! Suspicious file ::rootkits/Suspicious.php +dev/xdf2 ! Suspicious file ::rootkits/Suspicious.php +dev/ptyp ! Suspicious file ::rootkits/Suspicious.php +dev/ptyr ! Suspicious file ::rootkits/Suspicious.php +sbin/pback ! Suspicious file ::rootkits/Suspicious.php +usr/man/man3/psid ! Suspicious file ::rootkits/Suspicious.php +proc/kset ! Suspicious file ::rootkits/Suspicious.php +usr/bin/gib ! Suspicious file ::rootkits/Suspicious.php +usr/bin/snick ! Suspicious file ::rootkits/Suspicious.php +usr/bin/kfl ! Suspicious file ::rootkits/Suspicious.php +tmp/.dump ! Suspicious file ::rootkits/Suspicious.php +var/.x ! Suspicious file ::rootkits/Suspicious.php +var/.x/psotnic ! Suspicious file ::rootkits/Suspicious.php +*/.log ! Suspicious file ::rootkits/Suspicious.php +*/ecmf ! Suspicious file ::rootkits/Suspicious.php +*/mirkforce ! Suspicious file ::rootkits/Suspicious.php +*/mfclean ! Suspicious file ::rootkits/Suspicious.php