# $rootcheck, rootkit_trojans.txt, v1.0 2005/10/01, Daniel B. Cid
# Imported from the rootcheck project.

# Lines starting with '#' are not going to be read.
# Blank lines are not going to be read too.
# 
# Each line must be in the following format:
# file_name !string_to_search

# Commom binaries and public trojan entries
ls          !bash|^/bin/sh|dev/[^clu]|\.tmp/lsfile|duarawkz|/prof|/security|file\.h!
env			!bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh!
echo		!bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
chown		!bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
chmod		!bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
chgrp		!bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
cat			!bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
bash		!proc\.h|/dev/[0-9]|/dev/[hijkz]!
sh			!proc\.h|/dev/[0-9]|/dev/[hijkz]!
uname		!bash|^/bin/sh|file\.h|proc\.h|^/bin/.*sh!
date		!bash|^/bin/sh|file\.h|proc\.h|/dev/[^cln]|^/bin/.*sh!
du			!/dev|w0rm|/prof|file\.h!
df			!bash|^/bin/sh|file\.h|proc\.h|/dev/[^clurdv]|^/bin/.*sh!
login      	!bash|elite|SucKIT|xlogin|vejeta|porcao|lets_log|sukasuk!
passwd		!bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[b-s,uvxz]!
mingetty	!bash|Dimensioni|pacchetto!
chfn		!bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[a-s,uvxz]!
chsh		!bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[a-s,uvxz]!
mail		!bash|file\.h|proc\.h|/dev/[^nu]!
su			!bash|/dev/[d-s,abuvxz]|/dev/[A-D]|/dev/[F-Z]|/dev/[0-9]|satori|vejeta|conf\.inv!
sudo		!bash|satori|vejeta|conf\.inv!
crond		!/dev/[^nt]|bash!
gpm			!bash|mingetty!
ifconfig	!bash|^/bin/sh|/dev/tux|session.null|/dev/[^cludisopt]!
diff		!bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh!
md5sum		!bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh!
hdparm		!bash|/dev/ida|/dev/!
ldd			!/dev/[^n]|proc\.h|libshow.so|libproc.a!


# Trojan entries for troubleshooting binaries

grep        !bash|givemer|/dev/!
egrep		!bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh!
find		!bash|/dev/[^tnlcs]|/prof|/home/virus|file\.h!
lsof		!/prof|/dev/[^apcmnfk]|proc\.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp!
netstat		!bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr\.h!
top			!/dev/[^npi3st%]|proc\.h|/prof/!
ps			!/dev/ttyo|\.1proc|proc\.h|bash|^/bin/sh!
tcpdump		!bash|^/bin/sh|file\.h|proc\.h|/dev/[^b]|^/bin/.*sh!
pidof		!bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh!
fuser		!bash|^/bin/sh|file\.h|proc\.h|/dev/[a-dtz]|^/bin/.*sh!
w			!uname -a|proc\.h|bash!


# Trojan entries for common daemons

sendmail	!bash|fuck!
named		!bash|blah|/dev/[0-9]|^/bin/sh!
inetd		!bash|^/bin/sh|file\.h|proc\.h|/dev/[^un%]|^/bin/.*sh!
apachectl	!bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh!
sshd		!check_global_passwd|panasonic|satori|vejeta|\.ark|/hash\.zk|bash|/dev[a-s]|/dev[A-Z]/!
syslogd		!bash|/usr/lib/pt07|/dev/[^cln]]|syslogs\.h|proc\.h!
xinetd		!bash|file\.h|proc\.h!
in.telnetd	!cterm100|vt350|VT100|ansi-term|bash|^/bin/sh|/dev[A-R]|/dev/[a-z]/!
in.fingerd	!bash|^/bin/sh|cterm100|/dev/!
identd		!bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh!
init		!bash|/dev/h|HOME!
tcpd		!bash|proc\.h|p1r0c4|hack|/dev/[^n]!
rlogin		!p1r0c4|r00t|bash|/dev/[^nt]!


# Kill trojan

killall		!/dev/[^t%]|proc\.h|bash|tmp!
kill		!/dev/[ab,d-k,m-z]|/dev/[F-Z]|/dev/[A-D]|/dev/[0-9]|proc\.h|bash|tmp!


# Rootkit entries
/sbin/init              !HOME! Suckit rootkit
/proc/1/maps            !init.! Suckit rootkit
/etc/rc.d/rc.sysinit    !enyelkmHIDE! enye-sec Rootkit


# EOF #
