# @(#) $Id: rootkit_files.txt,v 1.19 2007/08/22 00:39:34 dcid Exp $
#
# rootkit_files.txt, (C) Daniel B. Cid
# Imported from the rootcheck project.
#
# Lines starting with '#' are not going to be read.
# Blank lines are not going to be read too.
# 
# Each line must be in the following format:
# file_name ! Name ::Link to it

# Files that start with an '*' are going to be searched
# in the whole system.


# Bash door
tmp/mcliZokhb			! Bash door ::/rootkits/bashdoor.php
tmp/mclzaKmfa			! Bash door ::/rootkits/bashdoor.php


#adore Worm
dev/.shit/red.tgz		! Adore Worm ::/rootkits/adorew.php
usr/lib/libt			! Adore Worm ::/rootkits/adorew.php
usr/bin/adore			! Adore Worm ::/rootkits/adorew.php
*/klogd.o               ! Adore Worm ::/rootkits/adorew.php
*/red.tar               ! Adore Worm ::/rootkits/adorew.php


#T.R.K rootkit
usr/bin/soucemask		! TRK rootkit ::/rootkits/trk.php
usr/bin/sourcemask		! TRK rootkit ::/rootkits/trk.php


# 55.808.A Worm
tmp/.../a			    ! 55808.A Worm ::
tmp/.../r			    ! 55808.A Worm ::


# Volc Rootkit
usr/lib/volc			! Volc Rootkit ::
usr/bin/volc 			! Volc Rootkit ::


# Illogic
lib/security/.config	! Illogic Rootkit ::rootkits/illogic.php
usr/bin/sia			    ! Illogic Rootkit ::rootkits/illogic.php
etc/ld.so.hash			! Illogic Rootkit ::rootkits/illogic.php
*/uconf.inv 			! Illogic Rootkit ::rootkits/illogic.php


#T0rnkit installed
usr/src/.puta			! t0rn Rootkit ::rootkits/torn.php 
usr/info/.t0rn			! t0rn Rootkit ::rootkits/torn.php
lib/ldlib.tk			! t0rn Rootkit ::rootkits/torn.php
etc/ttyhash			    ! t0rn Rootkit ::rootkits/torn.php
sbin/xlogin			    ! t0rn Rootkit ::rootkits/torn.php
*/ldlib.tk              ! t0rn Rootkit ::rootkits/torn.php
*/.t0rn                 ! t0rn Rootkit ::rootkits/torn.php
*/.puta                 ! t0rn Rootkit ::rootkits/torn.php
*/libproc.a             ! t0rn Rootkit ::rootkits/torn.php


#RK17
bin/rtty			! RK17 ::
bin/squit			! RK17 ::
sbin/pback			! RK17 ::
proc/kset			! RK17 ::
usr/src/linux/modules/autod.o	! RK17 ::
usr/src/linux/modules/soundx.o	! RK17 ::


# Ramen Worm
usr/lib/ldlibps.so 		! Ramen Worm ::rootkits/ramen.php
usr/lib/ldlibns.so 		! Ramen Worm ::rootkits/ramen.php
usr/lib/ldliblogin.so 	! Ramen Worm ::rootkits/ramen.php
usr/src/.poop			! Ramen Worm ::rootkits/ramen.php
tmp/ramen.tgz			! Ramen Worm ::rootkits/ramen.php
etc/xinetd.d/asp		! Ramen Worm ::rootkits/ramen.php


# Sadmind/IIS Worm
dev/cuc				    ! Sadmind/IIS Worm ::


#Monkit
lib/defs		    	! Monkit ::
usr/lib/libpikapp.a		! Monkit found ::


#RSHA
usr/bin/kr4p 			! RSHA ::
usr/bin/n3tstat			! RSHA ::
usr/bin/chsh2			! RSHA ::
usr/bin/slice2			! RSHA ::
etc/rc.d/rsha			! RSHA ::


#ShitC worm
bin/home			    ! ShitC ::
sbin/home			    ! ShitC ::
usr/sbin/in.slogind		! ShitC ::


#Omega Worm
dev/chr				    ! Omega Worm ::


#rh-sharpe
bin/.ps				    ! Rh-Sharpe ::
usr/bin/cleaner			! Rh-Sharpe ::
usr/bin/slice			! Rh-Sharpe ::
usr/bin/vadim			! Rh-Sharpe ::
usr/bin/.ps			    ! Rh-Sharpe ::
bin/.lpstree			! Rh-Sharpe ::
usr/bin/.lpstree		! Rh-Sharpe ::
usr/bin/lnetstat		! Rh-Sharpe ::
bin/lnetstat			! Rh-Sharpe ::
usr/bin/ldu			    ! Rh-Sharpe ::
bin/ldu				    ! Rh-Sharpe ::
usr/bin/lkillall		! Rh-Sharpe ::
bin/lkillall			! Rh-Sharpe ::
usr/include/rpcsvc/du	! Rh-Sharpe ::


#Maniac RK 
usr/bin/mailrc			! Maniac RK ::


#Showtee / romaniam
usr/lib/.egcs			! Showtee ::
usr/lib/.wormie			! Showtee ::
usr/lib/.kinetic		! Showtee ::
usr/lib/liblog.o		! Showtee ::
usr/include/addr.h		! Showtee / Romanian rootkit ::
usr/include/cron.h		! Showtee ::
usr/include/file.h		! Showtee / Romaniam rootkit ::
usr/include/syslogs.h	! Showtee / Romaniam rootkit ::
usr/include/proc.h		! Showtee / Romaniam rootkit ::
usr/include/chk.h		! Showtee ::
usr/sbin/initdl			! Romanian rootkit ::
usr/sbin/xntps			! Romanian rootkit ::


#Optickit
usr/bin/xchk			! Optickit ::
usr/bin/xsf			    ! Optickit ::


# LDP worm 
dev/.kork			! LDP Worm ::
bin/.login			! LDP Worm ::
bin/.ps				! LDP Worm ::


# Telekit
dev/hda06			! TeLeKit trojan ::
usr/info/libc1.so 		! TeleKit trojan ::


# Tribe bot
dev/wd4 			! Tribe bot ::


# LRK
dev/ida/.inet 			! LRK rootkit ::rootkits/lrk.php
*/bindshell 			! LRK rootkit ::rootkits/lrk.php


# Adore Rootkit
etc/bin/ava 			! Adore Rootkit ::
etc/sbin/ava 			! Adore Rootkit ::


# Slapper
tmp/.bugtraq 			! Slapper installed ::
tmp/.bugtraq.c 			! Slapper installed ::
tmp/.cinik 			    ! Slapper installed ::
tmp/.b 				    ! Slapper installed ::
tmp/httpd 			    ! Slapper installed ::
tmp./update 			! Slapper installed ::
tmp/.unlock 			! Slapper installed ::
tmp/.font-unix/.cinik   ! Slapper installed ::
tmp/.cinik              ! Slapper installed ::



# Scalper
tmp/.uua 			! Scalper installed ::
tmp/.a 				! Scalper installed ::


# Knark 
proc/knark 			! Knark Installed ::rootkits/knark.php
dev/.pizda 			! Knark Installed ::rootkits/knark.php
dev/.pula 			! Knark Installed ::rootkits/knark.php
dev/.pula 			! Knark Installed ::rootkits/knark.php
*/taskhack          ! Knark Installed ::rootkits/knark.php
*/rootme            ! Knark Installed ::rootkits/knark.php
*/nethide           ! Knark Installed ::rootkits/knark.php
*/hidef             ! Knark Installed ::rootkits/knark.php
*/ered              ! Knark Installed ::rootkits/knark.php


# Lion worm
dev/.lib 			! Lion Worm ::rootkits/lion.php
dev/.lib/1iOn.sh 	! Lion Worm ::rootkits/lion.php
bin/mjy				! Lion Worm ::rootkits/lion.php
bin/in.telnetd		! Lion Worm ::rootkits/lion.php
usr/info/torn		! Lion Worm ::rootkits/lion.php
*/1iOn\.sh  		! Lion Worm ::rootkits/lion.php


# Bobkit
usr/include/.../		! Bobkit Rootkit ::rootkits/bobkit.php
usr/lib/.../			! Bobkit Rootkit ::rootkits/bobkit.php
usr/sbin/.../			! Bobkit Rootkit ::rootkits/bobkit.php
usr/bin/ntpsx			! Bobkit Rootkit ::rootkits/bobkit.php
tmp/.bkp			    ! Bobkit Rootkit ::rootkits/bobkit.php
usr/lib/.bkit-		    ! Bobkit Rootkit ::rootkits/bobkit.php
*/bkit-	    		    ! Bobkit Rootkit ::rootkits/bobkit.php

# Hidrootkit
var/lib/games/.k		! Hidr00tkit ::

 
# Ark
dev/ptyxx			! Ark rootkit ::


#Mithra Rootkit
usr/lib/locale/uboot 		! Mithra`s rootkit ::


# Optickit
usr/bin/xsf 			! OpticKit ::
usr/bin/xchk 			! OpticKit ::


# LOC rookit
tmp/xp 				! LOC rookit ::
tmp/kidd0.c 			! LOC rookit ::
tmp/kidd0 			! LOC rookit ::


# TC2 worm
usr/info/.tc2k	 		! TC2 Worm ::
usr/bin/util 			! TC2 Worm ::
usr/sbin/initcheck 		! TC2 Worm ::
usr/sbin/ldb 			! TC2 Worm ::


# Anonoiyng rootkit
usr/sbin/mech 			! Anonoiyng rootkit ::
usr/sbin/kswapd 		! Anonoiyng rootkit ::


# SuckIt
lib/.x				! SuckIt rootkit ::
*/hide.log          ! Suckit rootkit ::
lib/sk              ! SuckIT rootkit ::


# Beastkit
usr/local/bin/bin		! Beastkit rootkit ::rootkits/beastkit.php
usr/man/.man10			! Beastkit rootkit ::rootkits/beastkit.php
usr/sbin/arobia			! Beastkit rootkit ::rootkits/beastkit.php
usr/lib/elm/arobia		! Beastkit rootkit ::rootkits/beastkit.php
usr/local/bin/.../bktd	! Beastkit rootkit ::rootkits/beastkit.php


# Tuxkit
dev/tux				! Tuxkit rootkit ::rootkits/Tuxkit.php
usr/bin/xsf			! Tuxkit rootkit ::rootkits/Tuxkit.php
usr/bin/xchk		! Tuxkit rootkit ::rootkits/Tuxkit.php
*/.file             ! Tuxkit rootkit ::rootkits/Tuxkit.php
*/.addr             ! Tuxkit rootkit ::rootkits/Tuxkit.php


# Old rootkits
usr/include/rpc/ ../kit		! Old rootkits ::rootkits/Old.php
usr/include/rpc/ ../kit2	! Old rootkits ::rootkits/Old.php
usr/doc/.sl			    ! Old rootkits ::rootkits/Old.php
usr/doc/.sp			    ! Old rootkits ::rootkits/Old.php
usr/doc/.statnet		! Old rootkits ::rootkits/Old.php
usr/doc/.logdsys		! Old rootkits ::rootkits/Old.php
usr/doc/.dpct			! Old rootkits ::rootkits/Old.php
usr/doc/.gifnocfi		! Old rootkits ::rootkits/Old.php
usr/doc/.dnif			! Old rootkits ::rootkits/Old.php
usr/doc/.nigol			! Old rootkits ::rootkits/Old.php


# Kenga3 rootkit
usr/include/. .         ! Kenga3 rootkit


# ESRK rootkit
usr/lib/tcl5.3          ! ESRK rootkit


# Fu rootkit
sbin/xc                 ! Fu rootkit
usr/include/ivtype.h    ! Fu rootkit
bin/.lib                ! Fu rootkit


# ShKit rootkit
lib/security/.config    ! ShKit rootkit
etc/ld.so.hash          ! ShKit rootkit


# AjaKit rootkit
lib/.ligh.gh            ! AjaKit rootkit
lib/.libgh.gh           ! AjaKit rootkit
lib/.libgh-gh           ! AjaKit rootkit
dev/tux                 ! AjaKit rootkit
dev/tux/.proc           ! AjaKit rootkit
dev/tux/.file           ! AjaKit rootkit


# zaRwT rootkit
bin/imin                ! zaRwT rootkit
bin/imout               ! zaRwT rootkit


# Madalin rootkit
usr/include/icekey.h    ! Madalin rootkit
usr/include/iceconf.h   ! Madalin rootkit
usr/include/iceseed.h   ! Madalin rootkit


# shv5 rootkit XXX http://www.askaboutskating.com/forum/.../shv5/setup
lib/libsh.so            ! shv5 rootkit
usr/lib/libsh           ! shv5 rootkit


# BMBL rootkit (http://www.giac.com/practical/GSEC/Steve_Terrell_GSEC.pdf)
etc/.bmbl               ! BMBL rootkit
etc/.bmbl/sk            ! BMBL rootkit


# rootedoor rootkit
*/rootedoor             ! Rootedoor rootkit


# 0vason rootkit
*/ovas0n                ! ovas0n rootkit ::/rootkits/ovason.php
*/ovason                ! ovas0n rootkit ::/rootkits/ovason.php


# Rpimp reverse telnet
*/rpimp                 ! rpv21 (Reverse Pimpage)::/rootkits/rpimp.php


# Cback Linux worm
tmp/cback              ! cback worm ::/rootkits/cback.php
tmp/derfiq             ! cback worm ::/rootkits/cback.php
*/cback                ! cback worm ::/rootkits/cback.php


# aPa Kit (from rkhunter)
usr/share/.aPa          ! Apa Kit


# enye-sec Rootkit
etc/.enyelkmHIDE^IT.ko  ! enye-sec Rootkit ::/rootkits/enye-sec.php


# Override Rootkit
dev/grid-hide-pid-     ! Override rootkit ::/rootkits/override.php
dev/grid-unhide-pid-   ! Override rootkit ::/rootkits/override.php
dev/grid-show-pids     ! Override rootkit ::/rootkits/override.php
dev/grid-hide-port-    ! Override rootkit ::/rootkits/override.php
dev/grid-unhide-port-  ! Override rootkit ::/rootkits/override.php


# PHALANX rootkit
usr/share/.home.ph1     ! PHALANX rootkit ::
usr/share/.home.ph1/tty ! PHALANX rootkit ::
etc/host.ph1            ! PHALANX rootkit ::
bin/host.ph1            ! PHALANX rootkit ::


# ZK rootkit (http://honeyblog.org/junkyard/reports/redhat-compromise2.pdf)
# and from chkrootkit
usr/share/.zk                   ! ZK rootkit ::
usr/share/.zk/zk                ! ZK rootkit ::
etc/1ssue.net                   ! ZK rootkit ::
usr/X11R6/.zk                   ! ZK rootkit ::
usr/X11R6/.zk/xfs               ! ZK rootkit ::
usr/X11R6/.zk/echo              ! ZK rootkit ::
etc/sysconfig/console/load.zk   ! ZK rootkit ::


# Public sniffers
*/.linux-sniff          ! Sniffer log ::
*/sniff-l0g             ! Sniffer log ::
*/core_$                ! Sniffer log ::
*/tcp.log               ! Sniffer log ::
*/chipsul               ! Sniffer log ::
*/beshina               ! Sniffer log ::
*/.owned$               | Sniffer log ::


# Solaris worm -
# http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen
var/adm/.profile        ! Solaris Worm ::
var/spool/lp/.profile   ! Solaris Worm ::
var/adm/sa/.adm         ! Solaris Worm ::
var/spool/lp/admins/.lp ! Solaris Worm ::


#Suspicious files
etc/rc.d/init.d/rc.modules	! Suspicious file ::rootkits/Suspicious.php
lib/ldd.so			        ! Suspicious file ::rootkits/Suspicious.php
usr/man/muie			    ! Suspicious file ::rootkits/Suspicious.php
usr/X11R6/include/pain		! Suspicious file ::rootkits/Suspicious.php
usr/bin/sourcemask 		    ! Suspicious file ::rootkits/Suspicious.php
usr/bin/ras2xm			    ! Suspicious file ::rootkits/Suspicious.php
usr/bin/ddc			        ! Suspicious file ::rootkits/Suspicious.php
usr/bin/jdc			        ! Suspicious file ::rootkits/Suspicious.php
usr/sbin/in.telnet		    ! Suspicious file ::rootkits/Suspicious.php
sbin/vobiscum			    ! Suspicious file ::rootkits/Suspicious.php
usr/sbin/jcd			    ! Suspicious file ::rootkits/Suspicious.php
usr/sbin/atd2			    ! Suspicious file ::rootkits/Suspicious.php
usr/bin/ishit               ! Suspicious file ::rootkits/Suspicious.php
usr/bin/.etc	            ! Suspicious file ::rootkits/Suspicious.php
usr/bin/xstat			    ! Suspicious file ::rootkits/Suspicious.php
var/run/.tmp			    ! Suspicious file ::rootkits/Suspicious.php
usr/man/man1/lib/.lib		! Suspicious file ::rootkits/Suspicious.php
usr/man/man2/.man8 		    ! Suspicious file ::rootkits/Suspicious.php
var/run/.pid			    ! Suspicious file ::rootkits/Suspicious.php
lib/.so				        ! Suspicious file ::rootkits/Suspicious.php
lib/.fx				        ! Suspicious file ::rootkits/Suspicious.php
lib/lblip.tk			    ! Suspicious file ::rootkits/Suspicious.php
usr/lib/.fx			        ! Suspicious file ::rootkits/Suspicious.php
var/local/.lpd			    ! Suspicious file ::rootkits/Suspicious.php
dev/rd/cdb			        ! Suspicious file ::rootkits/Suspicious.php
dev/.rd/			        ! Suspicious file ::rootkits/Suspicious.php
usr/lib/pt07			    ! Suspicious file ::rootkits/Suspicious.php
usr/bin/atm			        ! Suspicious file ::rootkits/Suspicious.php
tmp/.cheese			        ! Suspicious file ::rootkits/Suspicious.php
dev/.arctic			        ! Suspicious file ::rootkits/Suspicious.php
dev/.xman			        ! Suspicious file ::rootkits/Suspicious.php
dev/srd0			        ! Suspicious file ::rootkits/Suspicious.php
dev/ptyzx			        ! Suspicious file ::rootkits/Suspicious.php
dev/ptyzg			        ! Suspicious file ::rootkits/Suspicious.php
dev/xdf1			        ! Suspicious file ::rootkits/Suspicious.php
dev/ttyop			        ! Suspicious file ::rootkits/Suspicious.php
dev/ttyof			        ! Suspicious file ::rootkits/Suspicious.php
dev/hd7				        ! Suspicious file ::rootkits/Suspicious.php
dev/hdx1			        ! Suspicious file ::rootkits/Suspicious.php
dev/hdx2			        ! Suspicious file ::rootkits/Suspicious.php
dev/xdf2			        ! Suspicious file ::rootkits/Suspicious.php
dev/ptyp			        ! Suspicious file ::rootkits/Suspicious.php
dev/ptyr			        ! Suspicious file ::rootkits/Suspicious.php
sbin/pback                  ! Suspicious file ::rootkits/Suspicious.php
usr/man/man3/psid           ! Suspicious file ::rootkits/Suspicious.php
proc/kset                   ! Suspicious file ::rootkits/Suspicious.php
usr/bin/gib                 ! Suspicious file ::rootkits/Suspicious.php
usr/bin/snick               ! Suspicious file ::rootkits/Suspicious.php
usr/bin/kfl                 ! Suspicious file ::rootkits/Suspicious.php
tmp/.dump                   ! Suspicious file ::rootkits/Suspicious.php
var/.x                      ! Suspicious file ::rootkits/Suspicious.php
var/.x/psotnic              ! Suspicious file ::rootkits/Suspicious.php
*/.log                      ! Suspicious file ::rootkits/Suspicious.php
*/ecmf                      ! Suspicious file ::rootkits/Suspicious.php
*/mirkforce                 ! Suspicious file ::rootkits/Suspicious.php
*/mfclean                   ! Suspicious file ::rootkits/Suspicious.php
