# @(#) $Id: rootkit_trojans.txt,v 1.17 2007/06/01 00:39:11 dcid Exp $
#
# rootkit_trojans.txt, (C) Daniel B. Cid
# Imported from the rootcheck project.
# Some entries taken from the chkrootkit project.
#
# Lines starting with '#' are not going to be read (comments).
# Blank lines are not going to be read too.
# 
# Each line must be in the following format:
# file_name !string_to_search!Description

# Commom binaries and public trojan entries
ls          !bash|^/bin/sh|dev/[^clu]|\.tmp/lsfile|duarawkz|/prof|/security|file\.h!
env			!bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh!
echo		!bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
chown		!bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
chmod		!bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
chgrp		!bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
cat			!bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
bash		!proc\.h|/dev/[0-9]|/dev/[hijkz]!
sh			!proc\.h|/dev/[0-9]|/dev/[hijkz]!
uname		!bash|^/bin/sh|file\.h|proc\.h|^/bin/.*sh!
date		!bash|^/bin/sh|file\.h|proc\.h|/dev/[^cln]|^/bin/.*sh!
du			!/dev|w0rm|/prof|file\.h!
df			!bash|^/bin/sh|file\.h|proc\.h|/dev/[^clurdv]|^/bin/.*sh!
login      	!bash|elite|SucKIT|xlogin|vejeta|porcao|lets_log|sukasuk!
passwd		!bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[b-s,uvxz]!
mingetty	!bash|Dimensioni|pacchetto!
chfn		!bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[a-s,uvxz]!
chsh		!bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[a-s,uvxz]!
mail		!bash|file\.h|proc\.h|/dev/[^nu]!
su			!bash|/dev/[d-s,abuvxz]|/dev/[A-D]|/dev/[F-Z]|/dev/[0-9]|satori|vejeta|conf\.inv!
sudo		!bash|satori|vejeta|conf\.inv!
crond		!/dev/[^nt]|bash!
gpm			!bash|mingetty!
ifconfig	!bash|^/bin/sh|/dev/tux|session.null|/dev/[^cludisopt]!
diff		!bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh!
md5sum		!bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh!
hdparm		!bash|/dev/ida|/dev/!
ldd			!/dev/[^n]|proc\.h|libshow.so|libproc.a!


# Trojan entries for troubleshooting binaries

grep        !bash|givemer|/dev/!
egrep		!bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh!
find		!bash|/dev/[^tnlcs]|/prof|/home/virus|file\.h!
lsof		!/prof|/dev/[^apcmnfk]|proc\.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp!
netstat		!bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr\.h!
top			!/dev/[^npi3st%]|proc\.h|/prof/!
ps			!/dev/ttyo|\.1proc|proc\.h|bash|^/bin/sh!
tcpdump		!bash|^/bin/sh|file\.h|proc\.h|/dev/[^b]|^/bin/.*sh!
pidof		!bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh!
fuser		!bash|^/bin/sh|file\.h|proc\.h|/dev/[a-dtz]|^/bin/.*sh!
w			!uname -a|proc\.h|bash!


# Trojan entries for common daemons

sendmail	!bash|fuck!
named		!bash|blah|/dev/[0-9]|^/bin/sh!
inetd		!bash|^/bin/sh|file\.h|proc\.h|/dev/[^un%]|^/bin/.*sh!
apachectl	!bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh!
sshd		!check_global_passwd|panasonic|satori|vejeta|\.ark|/hash\.zk|bash|/dev[a-s]|/dev[A-Z]/!
syslogd		!bash|/usr/lib/pt07|/dev/[^cln]]|syslogs\.h|proc\.h!
xinetd		!bash|file\.h|proc\.h!
in.telnetd	!cterm100|vt350|VT100|ansi-term|bash|^/bin/sh|/dev[A-R]|/dev/[a-z]/!
in.fingerd	!bash|^/bin/sh|cterm100|/dev/!
identd		!bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh!
init		!bash|/dev/h|HOME!
tcpd		!bash|proc\.h|p1r0c4|hack|/dev/[^n]!
rlogin		!p1r0c4|r00t|bash|/dev/[^nt]!


# Kill trojan

killall		!/dev/[^t%]|proc\.h|bash|tmp!
kill		!/dev/[ab,d-k,m-z]|/dev/[F-Z]|/dev/[A-D]|/dev/[0-9]|proc\.h|bash|tmp!


# Rootkit entries
/sbin/init              !HOME! Suckit rootkit
/proc/1/maps            !init.! Suckit rootkit
/etc/rc.d/rc.sysinit    !enyelkmHIDE! enye-sec Rootkit


# ZK rootkit (http://honeyblog.org/junkyard/reports/redhat-compromise2.pdf)
/etc/sysconfig/console/load.zk   !/bin/sh! ZK rootkit
/etc/sysconfig/console/load.zk   !usr/bin/run! ZK rootkit


# Modified /etc/hosts entries
# Idea taken from:
# http://blog.tenablesecurity.com/2006/12/detecting_compr.html
# http://www.sophos.com/security/analyses/trojbagledll.html
# http://www.f-secure.com/v-descs/fantibag_b.shtml
/etc/hosts  !^[^#]*avp.ch!Anti-virus site on the hosts file
/etc/hosts  !^[^#]*avp.ru!Anti-virus site on the hosts file
/etc/hosts  !^[^#]*awaps.net! Anti-virus site on the hosts file
/etc/hosts  !^[^#]*ca.com! Anti-virus site on the hosts file
/etc/hosts  !^[^#]*mcafee.com! Anti-virus site on the hosts file
/etc/hosts  !^[^#]*microsoft.com! Anti-virus site on the hosts file
/etc/hosts  !^[^#]*f-secure.com! Anti-virus site on the hosts file
/etc/hosts  !^[^#]*sophos.com! Anti-virus site on the hosts file
/etc/hosts  !^[^#]*symantec.com! Anti-virus site on the hosts file
/etc/hosts  !^[^#]*my-etrust.com! Anti-virus site on the hosts file
/etc/hosts  !^[^#]*nai.com! Anti-virus site on the hosts file
/etc/hosts  !^[^#]*networkassociates.com! Anti-virus site on the hosts file
/etc/hosts  !^[^#]*viruslist.ru! Anti-virus site on the hosts file
/etc/hosts  !^[^#]*kaspersky! Anti-virus site on the hosts file
/etc/hosts  !^[^#]*symantecliveupdate.com! Anti-virus site on the hosts file
/etc/hosts  !^[^#]*grisoft.com! Anti-virus site on the hosts file
/etc/hosts  !^[^#]*clamav.net! Anti-virus site on the hosts file
/etc/hosts  !^[^#]*bitdefender.com! Anti-virus site on the hosts file
/etc/hosts  !^[^#]*antivirus.com! Anti-virus site on the hosts file
/etc/hosts  !^[^#]*sans.org! Security site on the hosts file

# EOF #
