Documentation ¶
Index ¶
- Constants
- Variables
- func BytesToUint(b []byte) uint
- type KallSyms
- type KallsymsEntry
- type KcoreMemory
- func (kcore *KcoreMemory) FindModule(addr uint64, modOffset int, version *KernelVersion) (ModuleInfo, error)
- func (kcore *KcoreMemory) Init(apiFileSystem api.FileSystem, textAddr uint64) error
- func (kcore *KcoreMemory) Read(offset, size uint64) ([]byte, error)
- func (kcore *KcoreMemory) ReadI(offset uint64) (uint32, error)
- func (kcore *KcoreMemory) ReadQ(offset uint64) (uint64, error)
- type KernelModules
- type KernelVersion
- type Ksyscall
- type ModuleInfo
- type RootkitRule
- type SyscallEntry
Constants ¶
View Source
const ( DefaultDescription = "rootkit backdoor" KallsymsPath = "/proc/kallsyms" KcorePath = "/proc/kcore" KernelModulesPath = "/proc/modules" VersionPath = "/proc/version" LKMDir = "/lib/modules/" MaxInt64 = int64(1<<63 - 1) ModuleOffset = 0x90 MaxZeroAddresses = 20 )
Variables ¶
View Source
var ( ErrInvalidAddr = errors.New("address should start with '0x") ErrInvalidKsyms = errors.New("parse kallsyms line failed") ErrInvalidNum = errors.New("binary search returned a negative number") ErrKallsymsInit = errors.New("kallsyms init failed") ErrKcoreInit = errors.New("kcore init failed") ErrKallsymsAddr = errors.New("too many zero addresses in kallsyms") ErrModulesAddr = errors.New("too many zero addresses") ErrNoModule = errors.New("cant find modules") ErrSizeMissMatch = errors.New("read size does not match the requested size") ErrTooBig = errors.New("read addr too big, max 0x800000000000") ErrVersion = errors.New("unable to find correct kernel version in /proc/version") )
View Source
var ( BadLKM = []string{ "adore", "bkit-adore", "cleaner", "flkm", "knark", "mod_klgr", "modhide", "p2", "phide_mod", "rpldev", "strings", "vlogger", "wkmr26", "xC", } SymsBuiltinList = []string{ "_text", "ext4_dir_operations", "ext4_file_operations", "proc_root_operations", "proc_root_operations", "proc_root_readdir", "sys_call_table", "tcp4_seq_afinfo", } RootkitRules = []*RootkitRule{ { Name: "55808 Variant A", File: []string{ "/tmp/.../r", "/tmp/.../a", }, Dir: []string{}, Ksyms: []string{}, }, { Name: "Adore Rootkit", File: []string{ "/usr/secure", "/usr/doc/sys/qrt", "/usr/doc/sys/run", "/usr/doc/sys/crond", "/usr/sbin/kfd", "/usr/doc/kern/var", "/usr/doc/kern/string.o", "/usr/doc/kern/ava", "/usr/doc/kern/adore.o", "/var/log/ssh/old", }, Dir: []string{ "/lib/security/.config/ssh", "/usr/doc/kern", "/usr/doc/backup", "/usr/doc/backup/txt", "/lib/backup", "/lib/backup/txt", "/usr/doc/work", "/usr/doc/sys", "/var/log/ssh", "/usr/doc/.spool", "/usr/lib/kterm", }, Ksyms: []string{}, }, { Name: "AjaKit Rootkit", File: []string{ "/dev/tux/.addr", "/dev/tux/.proc", "/dev/tux/.file", "/lib/.libgh-gh/cleaner", "/lib/.libgh-gh/Patch/patch", "/lib/.libgh-gh/sb0k", }, Dir: []string{ "/dev/tux", "/lib/.libgh-gh", }, Ksyms: []string{}, }, { Name: "aPa Kit Rootkit", File: []string{ "/usr/share/.aPa", }, Dir: []string{}, Ksyms: []string{}, }, { Name: "Apache Worm", File: []string{ "/bin/.log", }, Dir: []string{}, Ksyms: []string{}, }, { Name: "Ambient Rootkit", File: []string{ "/usr/lib/.ark?", "/dev/ptyxx/.log", "/dev/ptyxx/.file", "/dev/ptyxx/.proc", "/dev/ptyxx/.addr", }, Dir: []string{ "/dev/ptyxx", }, Ksyms: []string{}, }, { Name: "Balaur Rootkit", File: []string{ "/usr/lib/liblog.o", }, Dir: []string{ "/usr/lib/.kinetic", "/usr/lib/.egcs", "/usr/lib/.wormie", }, Ksyms: []string{}, }, { Name: "Beastkit Rootkit", File: []string{ "/usr/sbin/arobia", "/usr/sbin/idrun", "/usr/lib/elm/arobia/elm", "/usr/lib/elm/arobia/elm/hk", "/usr/lib/elm/arobia/elm/hk.pub", "/usr/lib/elm/arobia/elm/sc", "/usr/lib/elm/arobia/elm/sd.pp", "/usr/lib/elm/arobia/elm/sdco", "/usr/lib/elm/arobia/elm/srsd", }, Dir: []string{ "/lib/ldd.so/bktools", }, Ksyms: []string{}, }, { Name: "beX2 Rootkit", File: []string{ "/usr/info/termcap.info-5.gz", "/usr/bin/sshd2", }, Dir: []string{ "/usr/include/bex", }, Ksyms: []string{}, }, { Name: "BOBkit Rootkit", File: []string{ "/usr/sbin/ntpsx", "/usr/sbin/.../bkit-ava", "/usr/sbin/.../bkit-d", "/usr/sbin/.../bkit-shd", "/usr/sbin/.../bkit-f", "/usr/include/.../proc.h", "/usr/include/.../.bash_history", "/usr/include/.../bkit-get", "/usr/include/.../bkit-dl", "/usr/include/.../bkit-screen", "/usr/include/.../bkit-sleep", "/usr/lib/.../bkit-adore.o", "/usr/lib/.../ls", "/usr/lib/.../netstat", "/usr/lib/.../lsof", "/usr/lib/.../bkit-ssh/bkit-shdcfg", "/usr/lib/.../bkit-ssh/bkit-shhk", "/usr/lib/.../bkit-ssh/bkit-pw", "/usr/lib/.../bkit-ssh/bkit-shrs", "/usr/lib/.../bkit-ssh/bkit-mots", "/usr/lib/.../uconf.inv", "/usr/lib/.../psr", "/usr/lib/.../find", "/usr/lib/.../pstree", "/usr/lib/.../slocate", "/usr/lib/.../du", "/usr/lib/.../top", }, Dir: []string{ "/usr/sbin/...", "/usr/include/...", "/usr/include/.../.tmp", "/usr/lib/...", "/usr/lib/.../.ssh", "/usr/lib/.../bkit-ssh", "/usr/lib/.bkit-", "/tmp/.bkp", }, Ksyms: []string{}, }, { Name: "OSX Boonana-A Trojan", File: []string{ "/Library/StartupItems/OSXDriverUpdates/OSXDriverUpdates", "/Library/StartupItems/OSXDriverUpdates/StartupParameters.plist", }, Dir: []string{ "/var/root/.jnana", }, Ksyms: []string{}, }, { Name: "cb Rootkit", File: []string{ "/dev/srd0", "/lib/libproc.so.2.0.6", "/dev/mounnt", "/etc/rc.d/init.d/init", "/usr/bin/.zeen/..%/cl", "/usr/bin/.zeen/..%/.x.tgz", "/usr/bin/.zeen/..%/statdx", "/usr/bin/.zeen/..%/wted", "/usr/bin/.zeen/..%/write", "/usr/bin/.zeen/..%/scan", "/usr/bin/.zeen/..%/sc", "/usr/bin/.zeen/..%/sl2", "/usr/bin/.zeen/..%/wroot", "/usr/bin/.zeen/..%/wscan", "/usr/bin/.zeen/..%/wu", "/usr/bin/.zeen/..%/v", "/usr/bin/.zeen/..%/read", "/usr/lib/sshrc", "/usr/lib/ssh_host_key", "/usr/lib/ssh_host_key.pub", "/usr/lib/ssh_random_seed", "/usr/lib/sshd_config", "/usr/lib/shosts.equiv", "/usr/lib/ssh_known_hosts", "/u/zappa/.ssh/pid", "/usr/bin/.system/..%/tcp.log", "/usr/bin/.zeen/..%/curatare/attrib", "/usr/bin/.zeen/..%/curatare/chattr", "/usr/bin/.zeen/..%/curatare/ps", "/usr/bin/.zeen/..%/curatare/pstree", "/usr/bin/.system/..%/.x/xC.o", }, Dir: []string{ "/usr/bin/.zeen", "/usr/bin/.zeen/..%/curatare", "/usr/bin/.zeen/..%/scan", "/usr/bin/.system/..%", }, Ksyms: []string{}, }, { Name: "CiNIK Worm", File: []string{ "/tmp/.cinik", }, Dir: []string{ "/tmp/.font-unix/.cinik", }, Ksyms: []string{}, }, { Name: "CX Rootkit", File: []string{ "/usr/lib/ldlibso", "/usr/lib/configlibso", "/usr/lib/shklibso", "/usr/lib/randomlibso", "/usr/lib/ldlibstrings.so", "/usr/lib/ldlibdu.so", "/usr/lib/ldlibns.so", "/usr/include/db", }, Dir: []string{ "/usr/include/cxk", }, Ksyms: []string{}, }, { Name: "Abuse Kit", File: []string{ "/dev/mdev", "/usr/lib/libX.a", }, Dir: []string{}, Ksyms: []string{}, }, { Name: "Devil Rootkit", File: []string{ "/var/lib/games/.src", "/dev/dsx", "/dev/caca", "/dev/pro", "/bin/bye", "/bin/homedir", "/usr/bin/xfss", "/usr/sbin/tzava", "/usr/doc/tar/.../.dracusor/stuff/holber", "/usr/doc/tar/.../.dracusor/stuff/sense", "/usr/doc/tar/.../.dracusor/stuff/clear", "/usr/doc/tar/.../.dracusor/stuff/tzava", "/usr/doc/tar/.../.dracusor/stuff/citeste", "/usr/doc/tar/.../.dracusor/stuff/killrk", "/usr/doc/tar/.../.dracusor/stuff/searchlog", "/usr/doc/tar/.../.dracusor/stuff/gaoaza", "/usr/doc/tar/.../.dracusor/stuff/cleaner", "/usr/doc/tar/.../.dracusor/stuff/shk", "/usr/doc/tar/.../.dracusor/stuff/srs", "/usr/doc/tar/.../.dracusor/utile.tgz", "/usr/doc/tar/.../.dracusor/webpage", "/usr/doc/tar/.../.dracusor/getpsy", "/usr/doc/tar/.../.dracusor/getbnc", "/usr/doc/tar/.../.dracusor/getemech", "/usr/doc/tar/.../.dracusor/localroot.sh", "/usr/doc/tar/.../.dracusor/stuff/old/sense", }, Dir: []string{ "/usr/doc/tar/.../.dracusor", }, Ksyms: []string{}, }, { Name: "Diamorphine LKM", File: []string{}, Dir: []string{}, Ksyms: []string{ "diamorphine", "module_hide", "module_hidden", "is_invisible", "hacked_getdents", "hacked_kill", }, }, { Name: "Dica-Kit Rootkit", File: []string{ "/lib/.sso", "/lib/.so", "/var/run/...dica/clean", "/var/run/...dica/dxr", "/var/run/...dica/read", "/var/run/...dica/write", "/var/run/...dica/lf", "/var/run/...dica/xl", "/var/run/...dica/xdr", "/var/run/...dica/psg", "/var/run/...dica/secure", "/var/run/...dica/rdx", "/var/run/...dica/va", "/var/run/...dica/cl.sh", "/var/run/...dica/last.log", "/usr/bin/.etc", "/etc/sshd_config", "/etc/ssh_host_key", "/etc/ssh_random_seed", }, Dir: []string{ "/var/run/...dica", "/var/run/...dica/mh", "/var/run/...dica/scan", }, Ksyms: []string{}, }, { Name: "Dreams Rootkit", File: []string{ "/dev/ttyoa", "/dev/ttyof", "/dev/ttyop", "/usr/bin/sense", "/usr/bin/sl2", "/usr/bin/logclear", "/usr/bin/(swapd)", "/usr/bin/initrd", "/usr/bin/crontabs", "/usr/bin/snfs", "/usr/lib/libsss", "/usr/lib/libsnf.log", "/usr/lib/libshtift/top", "/usr/lib/libshtift/ps", "/usr/lib/libshtift/netstat", "/usr/lib/libshtift/ls", "/usr/lib/libshtift/ifconfig", "/usr/include/linseed.h", "/usr/include/linpid.h", "/usr/include/linkey.h", "/usr/include/linconf.h", "/usr/include/iceseed.h", "/usr/include/icepid.h", "/usr/include/icekey.h", "/usr/include/iceconf.h", }, Dir: []string{ "/dev/ida/.hpd", "/usr/lib/libshtift", }, Ksyms: []string{}, }, { Name: "Duarawkz Rootkit", File: []string{ "/usr/bin/duarawkz/loginpass", }, Dir: []string{ "/usr/bin/duarawkz", }, Ksyms: []string{}, }, { Name: "Ebury sshd backdoor", File: []string{ "/lib/libns2.so", "/lib64/libns2.so", "/lib/libns5.so", "/lib64/libns5.so", "/lib/libpw3.so", "/lib64/libpw3.so", "/lib/libpw5.so", "/lib64/libpw5.so", "/lib/libsbr.so", "/lib64/libsbr.so", "/lib/libslr.so", "/lib64/libslr.so", "/lib/tls/libkeyutils.so.1", "/lib64/tls/libkeyutils.so.1", }, Dir: []string{}, Ksyms: []string{}, }, { Name: "ENYE LKM", File: []string{ "/etc/.enyelkmHIDE^IT.ko", "/etc/.enyelkmOCULTAR.ko", }, Dir: []string{}, Ksyms: []string{}, }, { Name: "Flea Rootkit", File: []string{ "/etc/ld.so.hash", "/lib/security/.config/ssh/sshd_config", "/lib/security/.config/ssh/ssh_host_key", "/lib/security/.config/ssh/ssh_host_key.pub", "/lib/security/.config/ssh/ssh_random_seed", "/usr/bin/ssh2d", "/usr/lib/ldlibns.so", "/usr/lib/ldlibps.so", "/usr/lib/ldlibpst.so", "/usr/lib/ldlibdu.so", "/usr/lib/ldlibct.so", }, Dir: []string{ "/lib/security/.config/ssh", "/dev/..0", "/dev/..0/backup", }, Ksyms: []string{}, }, { Name: "FreeBSD Rootkit", File: []string{ "/dev/ptyp", "/dev/ptyq", "/dev/ptyr", "/dev/ptys", "/dev/ptyt", "/dev/fd/.88/freshb-bsd", "/dev/fd/.88/fresht", "/dev/fd/.88/zxsniff", "/dev/fd/.88/zxsniff.log", "/dev/fd/.99/.ttyf00", "/dev/fd/.99/.ttyp00", "/dev/fd/.99/.ttyq00", "/dev/fd/.99/.ttys00", "/dev/fd/.99/.pwsx00", "/etc/.acid", "/usr/lib/.fx/sched_host.2", "/usr/lib/.fx/random_d.2", "/usr/lib/.fx/set_pid.2", "/usr/lib/.fx/setrgrp.2", "/usr/lib/.fx/TOHIDE", "/usr/lib/.fx/cons.saver", "/usr/lib/.fx/adore/ava/ava", "/usr/lib/.fx/adore/adore/adore.ko", "/bin/sysback", "/usr/local/bin/sysback", }, Dir: []string{ "/dev/fd/.88", "/dev/fd/.99", "/usr/lib/.fx", "/usr/lib/.fx/adore", }, Ksyms: []string{}, }, { Name: "Fu Rootkit", File: []string{ "/sbin/xc", "/usr/include/ivtype.h", "/bin/.lib", }, Dir: []string{}, Ksyms: []string{}, }, { Name: "Fuckit Rootkit", File: []string{ "/lib/libproc.so.2.0.7", "/dev/proc/.bash_profile", "/dev/proc/.bashrc", "/dev/proc/.cshrc", "/dev/proc/fuckit/hax0r", "/dev/proc/fuckit/hax0rshell", "/dev/proc/fuckit/config/lports", "/dev/proc/fuckit/config/rports", "/dev/proc/fuckit/config/rkconf", "/dev/proc/fuckit/config/password", "/dev/proc/fuckit/config/progs", "/dev/proc/fuckit/system-bins/init", "/usr/lib/libcps.a", "/usr/lib/libtty.a", }, Dir: []string{ "/dev/proc", "/dev/proc/fuckit", "/dev/proc/fuckit/system-bins", "/dev/proc/toolz", }, Ksyms: []string{}, }, { Name: "GasKit Rootkit", File: []string{ "/dev/dev/gaskit/sshd/sshdd", }, Dir: []string{ "/dev/dev", "/dev/dev/gaskit", "/dev/dev/gaskit/sshd", }, Ksyms: []string{}, }, { Name: "Heroin LKM", File: []string{}, Dir: []string{}, Ksyms: []string{ "heroin", }, }, { Name: "HjC Kit Rootkit", File: []string{}, Dir: []string{ "/dev/.hijackerz", }, Ksyms: []string{}, }, { Name: "ignoKit Rootkit", File: []string{ "/lib/defs/p", "/lib/defs/q", "/lib/defs/r", "/lib/defs/s", "/lib/defs/t", "/usr/lib/defs/p", "/usr/lib/defs/q", "/usr/lib/defs/r", "/usr/lib/defs/s", "/usr/lib/defs/t", "/usr/lib/.libigno/pkunsec", "/usr/lib/.libigno/.igno/psybnc/psybnc", }, Dir: []string{ "/usr/lib/.libigno", "/usr/lib/.libigno/.igno", }, Ksyms: []string{}, }, { Name: "iLLogiC Rootkit", File: []string{ "/dev/kmod", "/dev/dos", "/usr/lib/crth.o", "/usr/lib/crtz.o", "/etc/ld.so.hash", "/usr/bin/sia", "/usr/bin/ssh2d", "/lib/security/.config/sn", "/lib/security/.config/iver", "/lib/security/.config/uconf.inv", "/lib/security/.config/ssh/ssh_host_key", "/lib/security/.config/ssh/ssh_host_key.pub", "/lib/security/.config/ssh/sshport", "/lib/security/.config/ssh/ssh_random_seed", "/lib/security/.config/ava", "/lib/security/.config/cleaner", "/lib/security/.config/lpsched", "/lib/security/.config/sz", "/lib/security/.config/rcp", "/lib/security/.config/patcher", "/lib/security/.config/pg", "/lib/security/.config/crypt", "/lib/security/.config/utime", "/lib/security/.config/wget", "/lib/security/.config/instmod", "/lib/security/.config/bin/find", "/lib/security/.config/bin/du", "/lib/security/.config/bin/ls", "/lib/security/.config/bin/psr", "/lib/security/.config/bin/netstat", "/lib/security/.config/bin/su", "/lib/security/.config/bin/ping", "/lib/security/.config/bin/passwd", }, Dir: []string{ "/lib/security/.config", "/lib/security/.config/ssh", "/lib/security/.config/bin", "/lib/security/.config/backup", "/root/%%%/.dir", "/root/%%%/.dir/mass-scan", "/root/%%%/.dir/flood", }, Ksyms: []string{}, }, { Name: "OSX Inqtana Variant A", File: []string{ "/Users/w0rm-support.tgz", "/Users/InqTest.class", "/Users/com.openbundle.plist", "/Users/com.pwned.plist", "/Users/libavetanaBT.jnilib", }, Dir: []string{ "/Users/de", "/Users/javax", }, Ksyms: []string{}, }, { Name: "OSX Inqtana Variant B", File: []string{ "/Users/w0rms.love.apples.tgz", "/Users/InqTest.class", "/Users/InqTest.java", "/Users/libavetanaBT.jnilib", "/Users/InqTanaHandler", "/Users/InqTanaHandler.bundle", }, Dir: []string{ "/Users/de", "/Users/javax", }, Ksyms: []string{}, }, { Name: "OSX Inqtana Variant C", File: []string{ "/Users/applec0re.tgz", "/Users/InqTest.class", "/Users/InqTest.java", "/Users/libavetanaBT.jnilib", "/Users/environment.plist", "/Users/pwned.c", "/Users/pwned.dylib", }, Dir: []string{ "/Users/de", "/Users/javax", }, Ksyms: []string{}, }, { Name: "IntoXonia-NG Rootkit", File: []string{}, Dir: []string{}, Ksyms: []string{ "funces", "ixinit", "tricks", "kernel_unlink", "rootme", "hide_module", "find_sys_call_tbl", }, }, { Name: "Irix Rootkit", File: []string{}, Dir: []string{ "/dev/pts/01", "/dev/pts/01/backup", "/dev/pts/01/etc", "/dev/pts/01/tmp", }, Ksyms: []string{}, }, { Name: "Jynx Rootkit", File: []string{ "/xochikit/bc", "/xochikit/ld_poison.so", "/omgxochi/bc", "/omgxochi/ld_poison.so", "/var/local/^^/bc", "/var/local/^^/ld_poison.so", }, Dir: []string{ "/xochikit", "/omgxochi", "/var/local/^^", }, Ksyms: []string{}, }, { Name: "Jynx2 Rootkit", File: []string{ "/XxJynx/reality.so", }, Dir: []string{ "/XxJynx", }, Ksyms: []string{}, }, { Name: "KBeast Rootkit", File: []string{ "/usr/_h4x_/ipsecs-kbeast-v1.ko", "/usr/_h4x_/_h4x_bd", "/usr/_h4x_/acctlog", }, Dir: []string{ "/usr/_h4x_", }, Ksyms: []string{ "h4x_delete_module", "h4x_getdents64", "h4x_kill", "h4x_open", "h4x_read", "h4x_rename", "h4x_rmdir", "h4x_tcp4_seq_show", "h4x_write", }, }, { Name: "OSX Keydnap backdoor", File: []string{ "/Applications/Transmission.app/Contents/Resources/License.rtf", "/Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf", "/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist", "/Library/LaunchAgents/com.geticloud.icloud.photo.plist", }, Dir: []string{ "/Library/Application%Support/com.apple.iCloud.sync.daemon/", }, Ksyms: []string{}, }, { Name: "Kitko Rootkit", File: []string{}, Dir: []string{ "/usr/src/redhat/SRPMS/...", }, Ksyms: []string{}, }, { Name: "Knark Rootkit", File: []string{ "/proc/knark/pids", }, Dir: []string{ "/proc/knark", }, Ksyms: []string{}, }, { Name: "OSX Komplex Trojan", File: []string{ "/Users/Shared/.local/kextd", "/Users/Shared/com.apple.updates.plist", "/Users/Shared/start.sh", }, Dir: []string{}, Ksyms: []string{}, }, { Name: "ld-linuxv rootkit", File: []string{ "/lib/ld-linuxv.so.1", }, Dir: []string{ "/var/opt/_so_cache", "/var/opt/_so_cache/ld", "/var/opt/_so_cache/lc", }, Ksyms: []string{}, }, { Name: "Lion Worm", File: []string{ "/bin/in.telnetd", "/bin/mjy", "/usr/man/man1/man1/lib/.lib/mjy", "/usr/man/man1/man1/lib/.lib/in.telnetd", "/usr/man/man1/man1/lib/.lib/.x", "/dev/.lib/lib/scan/1i0n.sh", "/dev/.lib/lib/scan/hack.sh", "/dev/.lib/lib/scan/bind", "/dev/.lib/lib/scan/randb", "/dev/.lib/lib/scan/scan.sh", "/dev/.lib/lib/scan/pscan", "/dev/.lib/lib/scan/star.sh", "/dev/.lib/lib/scan/bindx.sh", "/dev/.lib/lib/scan/bindname.log", "/dev/.lib/lib/1i0n.sh", "/dev/.lib/lib/lib/netstat", "/dev/.lib/lib/lib/dev/.1addr", "/dev/.lib/lib/lib/dev/.1logz", "/dev/.lib/lib/lib/dev/.1proc", "/dev/.lib/lib/lib/dev/.1file", }, Dir: []string{}, Ksyms: []string{}, }, { Name: "Lockit Rootkit", File: []string{ "/usr/lib/libmen.oo/.LJK2/ssh_config", "/usr/lib/libmen.oo/.LJK2/ssh_host_key", "/usr/lib/libmen.oo/.LJK2/ssh_host_key.pub", "/usr/lib/libmen.oo/.LJK2/ssh_random_seed*", "/usr/lib/libmen.oo/.LJK2/sshd_config", "/usr/lib/libmen.oo/.LJK2/backdoor/RK1bd", "/usr/lib/libmen.oo/.LJK2/backup/du", "/usr/lib/libmen.oo/.LJK2/backup/ifconfig", "/usr/lib/libmen.oo/.LJK2/backup/inetd.conf", "/usr/lib/libmen.oo/.LJK2/backup/locate", "/usr/lib/libmen.oo/.LJK2/backup/login", "/usr/lib/libmen.oo/.LJK2/backup/ls", "/usr/lib/libmen.oo/.LJK2/backup/netstat", "/usr/lib/libmen.oo/.LJK2/backup/ps", "/usr/lib/libmen.oo/.LJK2/backup/pstree", "/usr/lib/libmen.oo/.LJK2/backup/rc.sysinit", "/usr/lib/libmen.oo/.LJK2/backup/syslogd", "/usr/lib/libmen.oo/.LJK2/backup/tcpd", "/usr/lib/libmen.oo/.LJK2/backup/top", "/usr/lib/libmen.oo/.LJK2/clean/RK1sauber", "/usr/lib/libmen.oo/.LJK2/clean/RK1wted", "/usr/lib/libmen.oo/.LJK2/hack/RK1parse", "/usr/lib/libmen.oo/.LJK2/hack/RK1sniff", "/usr/lib/libmen.oo/.LJK2/hide/.RK1addr", "/usr/lib/libmen.oo/.LJK2/hide/.RK1dir", "/usr/lib/libmen.oo/.LJK2/hide/.RK1log", "/usr/lib/libmen.oo/.LJK2/hide/.RK1proc", "/usr/lib/libmen.oo/.LJK2/hide/RK1phidemod.c", "/usr/lib/libmen.oo/.LJK2/modules/README.modules", "/usr/lib/libmen.oo/.LJK2/modules/RK1hidem.c", "/usr/lib/libmen.oo/.LJK2/modules/RK1phide", "/usr/lib/libmen.oo/.LJK2/sshconfig/RK1ssh", }, Dir: []string{ "/usr/lib/libmen.oo/.LJK2", }, Ksyms: []string{}, }, { Name: "Mokes backdoor", File: []string{ "/tmp/ss0-[0-9][0-9][0-9][0-9][0-9][0-9]-[0-9][0-9][0-9][0-9][0-9][0-9]-[0-9][0-9][0-9].sst", "/tmp/aa0-[0-9][0-9][0-9][0-9][0-9][0-9]-[0-9][0-9][0-9][0-9][0-9][0-9]-[0-9][0-9][0-9].aat", "/tmp/kk0-[0-9][0-9][0-9][0-9][0-9][0-9]-[0-9][0-9][0-9][0-9][0-9][0-9]-[0-9][0-9][0-9].kkt", "/tmp/dd0-[0-9][0-9][0-9][0-9][0-9][0-9]-[0-9][0-9][0-9][0-9][0-9][0-9]-[0-9][0-9][0-9].ddt", }, Dir: []string{}, Ksyms: []string{}, }, { Name: "MRK RootKit", File: []string{ "/dev/ida/.inet/pid", "/dev/ida/.inet/ssh_host_key", "/dev/ida/.inet/ssh_random_seed", "/dev/ida/.inet/tcp.log", }, Dir: []string{ "/dev/ida/.inet", "/var/spool/cron/.sh", }, Ksyms: []string{}, }, { Name: "Mood-NT Rootkit", File: []string{ "/sbin/init__mood-nt-_-_cthulhu", "/_cthulhu/mood-nt.init", "/_cthulhu/mood-nt.conf", "/_cthulhu/mood-nt.sniff", }, Dir: []string{ "/_cthulhu", }, Ksyms: []string{}, }, { Name: "Ni0 Rootkit", File: []string{ "/var/lock/subsys/...datafile.../...net...", "/var/lock/subsys/...datafile.../...port...", "/var/lock/subsys/...datafile.../...ps...", "/var/lock/subsys/...datafile.../...file...", }, Dir: []string{ "/tmp/waza", "/var/lock/subsys/...datafile...", "/usr/sbin/es", }, Ksyms: []string{}, }, { Name: "Ohhara Rootkit", File: []string{ "/var/lock/subsys/...datafile.../...datafile.../in.smbd.log", }, Dir: []string{ "/var/lock/subsys/...datafile...", "/var/lock/subsys/...datafile.../...datafile...", "/var/lock/subsys/...datafile.../...datafile.../bin", "/var/lock/subsys/...datafile.../...datafile.../usr/bin", "/var/lock/subsys/...datafile.../...datafile.../usr/sbin", "/var/lock/subsys/...datafile.../...datafile.../lib/security", }, Ksyms: []string{}, }, { Name: "Optic Kit Rootkit", File: []string{}, Dir: []string{ "/dev/tux", "/usr/bin/xchk", "/usr/bin/xsf", "/usr/bin/ssh2d", }, Ksyms: []string{}, }, { Name: "OSXRK", File: []string{ "/dev/.rk/nc", "/dev/.rk/diepu", "/dev/.rk/backd", "/Library/StartupItems/opener", "/Library/StartupItems/opener.sh", "/System/Library/StartupItems/opener", "/System/Library/StartupItems/opener.sh", }, Dir: []string{ "/dev/.rk", "/Users/LDAP-daemon", "/tmp/.work", }, Ksyms: []string{}, }, { Name: "Oz Rootkit", File: []string{ "/dev/.oz/.nap/rkit/terror", }, Dir: []string{ "/dev/.oz", }, Ksyms: []string{}, }, { Name: "Phalanx Rootkit", File: []string{ "/uNFuNF", "/etc/host.ph1", "/bin/host.ph1", "/usr/share/.home.ph1/phalanx", "/usr/share/.home.ph1/cb", "/usr/share/.home.ph1/kebab", }, Dir: []string{ "/usr/share/.home.ph1", "/usr/share/.home.ph1/tty", }, Ksyms: []string{}, }, { Name: "Phalanx2 Rootkit", File: []string{ "/etc/khubd.p2/.p2rc", "/etc/khubd.p2/.phalanx2", "/etc/khubd.p2/.sniff", "/etc/khubd.p2/sshgrab.py", "/etc/lolzz.p2/.p2rc", "/etc/lolzz.p2/.phalanx2", "/etc/lolzz.p2/.sniff", "/etc/lolzz.p2/sshgrab.py", "/etc/cron.d/zupzzplaceholder", "/usr/lib/zupzz.p2/.p-2.3d", "/usr/lib/zupzz.p2/.p2rc", }, Dir: []string{ "/etc/khubd.p2", "/etc/lolzz.p2", "/usr/lib/zupzz.p2", }, Ksyms: []string{}, }, { Name: "Portacelo Rootkit", File: []string{ "/var/lib/.../.ak", "/var/lib/.../.hk", "/var/lib/.../.rs", "/var/lib/.../.p", "/var/lib/.../getty", "/var/lib/.../lkt.o", "/var/lib/.../show", "/var/lib/.../nlkt.o", "/var/lib/.../ssshrc", "/var/lib/.../sssh_equiv", "/var/lib/.../sssh_known_hosts", "/var/lib/.../sssh_pid ~/.sssh/known_hosts", }, Dir: []string{}, Ksyms: []string{}, }, { Name: "OSX Proton backdoor", File: []string{ "Library/LaunchAgents/com.apple.xpcd.plist", "/Library/LaunchAgents/com.Eltima.UpdaterAgent.plist", "/Library/.rand/updateragent.app", "/tmp/Updater.app", }, Dir: []string{ "/Library/.rand", "/Library/.cachedir", "/Library/.random", }, Ksyms: []string{}, }, { Name: "R3dstorm Toolkit", File: []string{ "/var/log/tk02/see_all", "/var/log/tk02/.scris", "/bin/.../sshd/sbin/sshd1", "/bin/.../hate/sk", "/bin/.../see_all", }, Dir: []string{ "/var/log/tk02", "/var/log/tk02/old", "/bin/...", }, Ksyms: []string{}, }, { Name: "RH-Sharpe Rootkit", File: []string{ "/bin/lps", "/usr/bin/lpstree", "/usr/bin/ltop", "/usr/bin/lkillall", "/usr/bin/ldu", "/usr/bin/lnetstat", "/usr/bin/wp", "/usr/bin/shad", "/usr/bin/vadim", "/usr/bin/slice", "/usr/bin/cleaner", "/usr/include/rpcsvc/du", }, Dir: []string{}, Ksyms: []string{}, }, { Name: "RSHA Rootkit", File: []string{ "/bin/kr4p", "/usr/bin/n3tstat", "/usr/bin/chsh2", "/usr/bin/slice2", "/usr/src/linux/arch/alpha/lib/.lib/.1proc", "/etc/rc.d/arch/alpha/lib/.lib/.1addr", }, Dir: []string{ "/etc/rc.d/rsha", "/etc/rc.d/arch/alpha/lib/.lib", }, Ksyms: []string{}, }, { Name: "Shutdown Rootkit", File: []string{ "/usr/man/man5/..%/.dir/scannah/asus", "/usr/man/man5/..%/.dir/see", "/usr/man/man5/..%/.dir/nscd", "/usr/man/man5/..%/.dir/alpd", "/etc/rc.d/rc.local%", }, Dir: []string{ "/usr/man/man5/..%/.dir", "/usr/man/man5/..%/.dir/scannah", "/etc/rc.d/rc0.d/..%/.dir", }, Ksyms: []string{}, }, { Name: "Scalper Worm", File: []string{ "/tmp/.a", "/tmp/.uua", }, Dir: []string{}, Ksyms: []string{}, }, { Name: "SHV4 Rootkit", File: []string{ "/etc/ld.so.hash", "/lib/libext-2.so.7", "/lib/lidps1.so", "/lib/libproc.a", "/lib/libproc.so.2.0.6", "/lib/ldd.so/tks", "/lib/ldd.so/tkp", "/lib/ldd.so/tksb", "/lib/security/.config/sshd", "/lib/security/.config/ssh/ssh_host_key", "/lib/security/.config/ssh/ssh_host_key.pub", "/lib/security/.config/ssh/ssh_random_seed", "/usr/include/file.h", "/usr/include/hosts.h", "/usr/include/lidps1.so", "/usr/include/log.h", "/usr/include/proc.h", "/usr/sbin/xntps", "/dev/srd0", }, Dir: []string{ "/lib/ldd.so", "/lib/security/.config", "/lib/security/.config/ssh", }, Ksyms: []string{}, }, { Name: "SHV5 Rootkit", File: []string{ "/etc/sh.conf", "/lib/libproc.a", "/lib/libproc.so.2.0.6", "/lib/lidps1.so", "/lib/libsh.so/bash", "/usr/include/file.h", "/usr/include/hosts.h", "/usr/include/log.h", "/usr/include/proc.h", "/lib/libsh.so/shdcf2", "/lib/libsh.so/shhk", "/lib/libsh.so/shhk.pub", "/lib/libsh.so/shrs", "/usr/lib/libsh/.bashrc", "/usr/lib/libsh/shsb", "/usr/lib/libsh/hide", "/usr/lib/libsh/.sniff/shsniff", "/usr/lib/libsh/.sniff/shp", "/dev/srd0", }, Dir: []string{ "/lib/libsh.so", "/usr/lib/libsh", "/usr/lib/libsh/utilz", "/usr/lib/libsh/.backup", }, Ksyms: []string{}, }, { Name: "Sin Rootkit", File: []string{ "/dev/.haos/haos1/.f/Denyed", "/dev/ttyoa", "/dev/ttyof", "/dev/ttyop", "/dev/ttyos", "/usr/lib/.lib", "/usr/lib/sn/.X", "/usr/lib/sn/.sys", "/usr/lib/ld/.X", "/usr/man/man1/...", "/usr/man/man1/.../.m", "/usr/man/man1/.../.w", }, Dir: []string{ "/usr/lib/sn", "/usr/lib/man1/...", "/dev/.haos", }, Ksyms: []string{}, }, { Name: "Slapper Worm", File: []string{ "/tmp/.bugtraq", "/tmp/.uubugtraq", "/tmp/.bugtraq.c", "/tmp/httpd", "/tmp/.unlock", "/tmp/update", "/tmp/.cinik", "/tmp/.b", }, Dir: []string{}, Ksyms: []string{}, }, { Name: "Sneakin Rootkit", File: []string{}, Dir: []string{ "/tmp/.X11-unix/.../rk", }, Ksyms: []string{}, }, { Name: "Solaris Wanuk backdoor", File: []string{ "/var/adm/sa/.adm/.lp-door.i86pc", "/var/adm/sa/.adm/.lp-door.sun4", "/var/spool/lp/admins/.lp-door.i86pc", "/var/spool/lp/admins/.lp-door.sun4", "/var/spool/lp/admins/lpshut", "/var/spool/lp/admins/lpsystem", "/var/spool/lp/admins/lpadmin", "/var/spool/lp/admins/lpmove", "/var/spool/lp/admins/lpusers", "/var/spool/lp/admins/lpfilter", "/var/spool/lp/admins/lpstat", "/var/spool/lp/admins/lpd", "/var/spool/lp/admins/lpsched", "/var/spool/lp/admins/lpc", }, Dir: []string{ "/var/adm/sa/.adm", }, Ksyms: []string{}, }, { Name: "Solaris Wanuk Worm", File: []string{ "/var/adm/.adm", "/var/adm/.i86pc", "/var/adm/.sun4", "/var/adm/sa/.adm", "/var/adm/sa/.adm/.i86pc", "/var/adm/sa/.adm/.sun4", "/var/adm/sa/.adm/.crontab", "/var/adm/sa/.adm/devfsadmd", "/var/adm/sa/.adm/svcadm", "/var/adm/sa/.adm/cfgadm", "/var/adm/sa/.adm/kadmind", "/var/adm/sa/.adm/zoneadmd", "/var/adm/sa/.adm/sadm", "/var/adm/sa/.adm/sysadm", "/var/adm/sa/.adm/dladm", "/var/adm/sa/.adm/bootadm", "/var/adm/sa/.adm/routeadm", "/var/adm/sa/.adm/uadmin", "/var/adm/sa/.adm/acctadm", "/var/adm/sa/.adm/cryptoadm", "/var/adm/sa/.adm/inetadm", "/var/adm/sa/.adm/logadm", "/var/adm/sa/.adm/nlsadmin", "/var/adm/sa/.adm/sacadm", "/var/adm/sa/.adm/syseventadmd", "/var/adm/sa/.adm/ttyadmd", "/var/adm/sa/.adm/consadmd", "/var/adm/sa/.adm/metadevadm", "/var/adm/sa/.i86pc", "/var/adm/sa/.sun4", "/var/adm/sa/acctadm", "/var/adm/sa/bootadm", "/var/adm/sa/cfgadm", "/var/adm/sa/consadmd", "/var/adm/sa/cryptoadm", "/var/adm/sa/devfsadmd", "/var/adm/sa/dladm", "/var/adm/sa/inetadm", "/var/adm/sa/kadmind", "/var/adm/sa/logadm", "/var/adm/sa/metadevadm", "/var/adm/sa/nlsadmin", "/var/adm/sa/routeadm", "/var/adm/sa/sacadm", "/var/adm/sa/sadm", "/var/adm/sa/svcadm", "/var/adm/sa/sysadm", "/var/adm/sa/syseventadmd", "/var/adm/sa/ttyadmd", "/var/adm/sa/uadmin", "/var/adm/sa/zoneadmd", "/var/spool/lp/admins/.lp/.crontab", "/var/spool/lp/admins/.lp/lpshut", "/var/spool/lp/admins/.lp/lpsystem", "/var/spool/lp/admins/.lp/lpadmin", "/var/spool/lp/admins/.lp/lpmove", "/var/spool/lp/admins/.lp/lpusers", "/var/spool/lp/admins/.lp/lpfilter", "/var/spool/lp/admins/.lp/lpstat", "/var/spool/lp/admins/.lp/lpd", "/var/spool/lp/admins/.lp/lpsched", "/var/spool/lp/admins/.lp/lpc", }, Dir: []string{ "/var/adm/sa/.adm", "/var/spool/lp/admins/.lp", }, Ksyms: []string{}, }, { Name: "Spanish Rootkit", File: []string{ "/dev/ptyq", "/bin/ad", "/bin/ava", "/bin/server", "/usr/sbin/rescue", "/usr/share/.../chrps", "/usr/share/.../chrifconfig", "/usr/share/.../netstat", "/usr/share/.../linsniffer", "/usr/share/.../charbd", "/usr/share/.../charbd2", "/usr/share/.../charbd3", "/usr/share/.../charbd4", "/usr/man/tmp/update.tgz", "/var/lib/rpm/db.rpm", "/var/cache/man/.cat", "/var/spool/lpd/remote/.lpq", }, Dir: []string{ "/usr/share/...", }, Ksyms: []string{}, }, { Name: "Suckit Rootkit", File: []string{ "/sbin/initsk12", "/sbin/initxrk", "/usr/bin/null", "/usr/share/locale/sk/.sk12/sk", "/etc/rc.d/rc0.d/S23kmdac", "/etc/rc.d/rc1.d/S23kmdac", "/etc/rc.d/rc2.d/S23kmdac", "/etc/rc.d/rc3.d/S23kmdac", "/etc/rc.d/rc4.d/S23kmdac", "/etc/rc.d/rc5.d/S23kmdac", "/etc/rc.d/rc6.d/S23kmdac", }, Dir: []string{ "/dev/sdhu0/tehdrakg", "/etc/.MG", "/usr/share/locale/sk/.sk12", "/usr/lib/perl5/site_perl/i386-linux/auto/TimeDate/.packlist", }, Ksyms: []string{}, }, { Name: "NSDAP Rootkit", File: []string{ "/dev/pts/01/55su", "/dev/pts/01/55ps", "/dev/pts/01/55ping", "/dev/pts/01/55login", "/dev/pts/01/PATCHER_COMPLETED", "/dev/prom/sn.l", "/dev/prom/dos", "/usr/lib/vold/nsdap/.kit", "/usr/lib/vold/nsdap/defines", "/usr/lib/vold/nsdap/patcher", "/usr/lib/vold/nsdap/pg", "/usr/lib/vold/nsdap/cleaner", "/usr/lib/vold/nsdap/utime", "/usr/lib/vold/nsdap/crypt", "/usr/lib/vold/nsdap/findkit", "/usr/lib/vold/nsdap/sn2", "/usr/lib/vold/nsdap/sniffload", "/usr/lib/vold/nsdap/runsniff", "/usr/lib/lpset", "/usr/lib/lpstart", "/usr/bin/mc68000", "/usr/bin/mc68010", "/usr/bin/mc68020", "/usr/ucb/bin/ps", "/usr/bin/m68k", "/usr/bin/sun2", "/usr/bin/mc68030", "/usr/bin/mc68040", "/usr/bin/sun3", "/usr/bin/sun3x", "/usr/bin/lso", "/usr/bin/u370", }, Dir: []string{ "/dev/pts/01", "/dev/prom", "/usr/lib/vold/nsdap", "/.pat", }, Ksyms: []string{}, }, { Name: "SunOS Rootkit", File: []string{ "/etc/ld.so.hash", "/lib/libext-2.so.7", "/usr/bin/ssh2d", "/bin/xlogin", "/usr/lib/crth.o", "/usr/lib/crtz.o", "/sbin/login", "/lib/security/.config/sn", "/lib/security/.config/lpsched", "/dev/kmod", "/dev/dos", }, Dir: []string{}, Ksyms: []string{}, }, { Name: "Superkit Rootkit", File: []string{ "/usr/man/.sman/sk/backsh", "/usr/man/.sman/sk/izbtrag", "/usr/man/.sman/sk/sksniff", "/var/www/cgi-bin/cgiback.cgi", }, Dir: []string{ "/usr/man/.sman/sk", }, Ksyms: []string{}, }, { Name: "TBD(Telnet Backdoor)", File: []string{ "/usr/lib/.tbd", }, Dir: []string{}, Ksyms: []string{}, }, { Name: "TeLeKiT Rootkit", File: []string{ "/usr/man/man3/.../TeLeKiT/bin/sniff", "/usr/man/man3/.../TeLeKiT/bin/telnetd", "/usr/man/man3/.../TeLeKiT/bin/teleulo", "/usr/man/man3/.../cl", "/dev/ptyr", "/dev/ptyp", "/dev/ptyq", "/dev/hda06", "/usr/info/libc1.so", }, Dir: []string{ "/usr/man/man3/...", "/usr/man/man3/.../lsniff", "/usr/man/man3/.../TeLeKiT", }, Ksyms: []string{}, }, { Name: "OSX Togroot Rootkit", File: []string{ "/System/Library/Extensions/Togroot.kext/Contents/Info.plist", "/System/Library/Extensions/Togroot.kext/Contents/pbdevelopment.plist", "/System/Library/Extensions/Togroot.kext/Contents/MacOS/togrootkext", }, Dir: []string{ "/System/Library/Extensions/Togroot.kext", "/System/Library/Extensions/Togroot.kext/Contents", "/System/Library/Extensions/Togroot.kext/Contents/MacOS", }, Ksyms: []string{}, }, { Name: "T0rn Rootkit", File: []string{ "/dev/.lib/lib/lib/t0rns", "/dev/.lib/lib/lib/du", "/dev/.lib/lib/lib/ls", "/dev/.lib/lib/lib/t0rnsb", "/dev/.lib/lib/lib/ps", "/dev/.lib/lib/lib/t0rnp", "/dev/.lib/lib/lib/find", "/dev/.lib/lib/lib/ifconfig", "/dev/.lib/lib/lib/pg", "/dev/.lib/lib/lib/ssh.tgz", "/dev/.lib/lib/lib/top", "/dev/.lib/lib/lib/sz", "/dev/.lib/lib/lib/login", "/dev/.lib/lib/lib/in.fingerd", "/dev/.lib/lib/lib/1i0n.sh", "/dev/.lib/lib/lib/pstree", "/dev/.lib/lib/lib/in.telnetd", "/dev/.lib/lib/lib/mjy", "/dev/.lib/lib/lib/sush", "/dev/.lib/lib/lib/tfn", "/dev/.lib/lib/lib/name", "/dev/.lib/lib/lib/getip.sh", "/usr/info/.torn/sh*", "/usr/src/.puta/.1addr", "/usr/src/.puta/.1file", "/usr/src/.puta/.1proc", "/usr/src/.puta/.1logz", "/usr/info/.t0rn", }, Dir: []string{ "/dev/.lib", "/dev/.lib/lib", "/dev/.lib/lib/lib", "/dev/.lib/lib/lib/dev", "/dev/.lib/lib/scan", "/usr/src/.puta", "/usr/man/man1/man1", "/usr/man/man1/man1/lib", "/usr/man/man1/man1/lib/.lib", "/usr/man/man1/man1/lib/.lib/.backup", }, Ksyms: []string{}, }, { Name: "trNkit Rootkit", File: []string{ "/usr/lib/libbins.la", "/usr/lib/libtcs.so", "/dev/.ttpy/ulogin.sh", "/dev/.ttpy/tcpshell.sh", "/dev/.ttpy/bupdu", "/dev/.ttpy/buloc", "/dev/.ttpy/buloc1", "/dev/.ttpy/buloc2", "/dev/.ttpy/stat", "/dev/.ttpy/backps", "/dev/.ttpy/tree", "/dev/.ttpy/topk", "/dev/.ttpy/wold", "/dev/.ttpy/whoold", "/dev/.ttpy/backdoors", }, Dir: []string{}, Ksyms: []string{}, }, { Name: "Trojanit Kit Rootkit", File: []string{ "bin/.ls", "/bin/.ps", "/bin/.netstat", "/usr/bin/.nop", "/usr/bin/.who", }, Dir: []string{}, Ksyms: []string{}, }, { Name: "Turtle Rootkit", File: []string{ "/dev/turtle2dev", }, Dir: []string{}, Ksyms: []string{}, }, { Name: "Tuxtendo Rootkit", File: []string{ "/lib/libproc.so.2.0.7", "/usr/bin/xchk", "/usr/bin/xsf", "/dev/tux/suidsh", "/dev/tux/.addr", "/dev/tux/.cron", "/dev/tux/.file", "/dev/tux/.log", "/dev/tux/.proc", "/dev/tux/.iface", "/dev/tux/.pw", "/dev/tux/.df", "/dev/tux/.ssh", "/dev/tux/.tux", "/dev/tux/ssh2/sshd2_config", "/dev/tux/ssh2/hostkey", "/dev/tux/ssh2/hostkey.pub", "/dev/tux/ssh2/logo", "/dev/tux/ssh2/random_seed", "/dev/tux/backup/crontab", "/dev/tux/backup/df", "/dev/tux/backup/dir", "/dev/tux/backup/find", "/dev/tux/backup/ifconfig", "/dev/tux/backup/locate", "/dev/tux/backup/netstat", "/dev/tux/backup/ps", "/dev/tux/backup/pstree", "/dev/tux/backup/syslogd", "/dev/tux/backup/tcpd", "/dev/tux/backup/top", "/dev/tux/backup/updatedb", "/dev/tux/backup/vdir", }, Dir: []string{ "/dev/tux", "/dev/tux/ssh2", "/dev/tux/backup", }, Ksyms: []string{}, }, { Name: "Universal Rootkit", File: []string{ "/dev/prom/sn.l", "/usr/lib/ldlibps.so", "/usr/lib/ldlibnet.so", "/dev/pts/01/uconf.inv", "/dev/pts/01/cleaner", "/dev/pts/01/bin/psniff", "/dev/pts/01/bin/du", "/dev/pts/01/bin/ls", "/dev/pts/01/bin/passwd", "/dev/pts/01/bin/ps", "/dev/pts/01/bin/psr", "/dev/pts/01/bin/su", "/dev/pts/01/bin/find", "/dev/pts/01/bin/netstat", "/dev/pts/01/bin/ping", "/dev/pts/01/bin/strings", "/dev/pts/01/bin/bash", "/usr/man/man1/xxxxxxbin/du", "/usr/man/man1/xxxxxxbin/ls", "/usr/man/man1/xxxxxxbin/passwd", "/usr/man/man1/xxxxxxbin/ps", "/usr/man/man1/xxxxxxbin/psr", "/usr/man/man1/xxxxxxbin/su", "/usr/man/man1/xxxxxxbin/find", "/usr/man/man1/xxxxxxbin/netstat", "/usr/man/man1/xxxxxxbin/ping", "/usr/man/man1/xxxxxxbin/strings", "/usr/man/man1/xxxxxxbin/bash", "/tmp/conf.inv", }, Dir: []string{ "/dev/prom", "/dev/pts/01", "/dev/pts/01/bin", "/usr/man/man1/xxxxxxbin", }, Ksyms: []string{}, }, { Name: "VcKit Rootkit", File: []string{}, Dir: []string{ "/usr/include/linux/modules/lib.so", "/usr/include/linux/modules/lib.so/bin", }, Ksyms: []string{}, }, { Name: "Vampire Rootkit", File: []string{}, Dir: []string{}, Ksyms: []string{ "new_getdents", "old_getdents", "should_hide_file_name", "should_hide_task_name", }, }, { Name: "Volc Rootkit", File: []string{ "/usr/bin/volc", "/usr/lib/volc/backdoor/divine", "/usr/lib/volc/linsniff", "/etc/rc.d/rc1.d/S25sysconf", "/etc/rc.d/rc2.d/S25sysconf", "/etc/rc.d/rc3.d/S25sysconf", "/etc/rc.d/rc4.d/S25sysconf", "/etc/rc.d/rc5.d/S25sysconf", }, Dir: []string{ "/var/spool/.recent", "/var/spool/.recent/.files", "/usr/lib/volc", "/usr/lib/volc/backup", }, Ksyms: []string{}, }, { Name: "weaponX", File: []string{ "/System/Library/Extensions/WeaponX.kext", }, Dir: []string{ "/tmp/...", }, Ksyms: []string{}, }, { Name: "Xzibit Rootkit", File: []string{ "/dev/dsx", "/dev/caca", "/dev/ida/.inet/linsniffer", "/dev/ida/.inet/logclear", "/dev/ida/.inet/sense", "/dev/ida/.inet/sl2", "/dev/ida/.inet/sshdu", "/dev/ida/.inet/s", "/dev/ida/.inet/ssh_host_key", "/dev/ida/.inet/ssh_random_seed", "/dev/ida/.inet/sl2new.c", "/dev/ida/.inet/tcp.log", "/home/httpd/cgi-bin/becys.cgi", "/usr/local/httpd/cgi-bin/becys.cgi", "/usr/local/apache/cgi-bin/becys.cgi", "/www/httpd/cgi-bin/becys.cgi", "/www/cgi-bin/becys.cgi", }, Dir: []string{ "/dev/ida/.inet", }, Ksyms: []string{}, }, { Name: "X-Org SunOS Rootkit", File: []string{ "/usr/lib/libX.a/bin/tmpfl", "/usr/lib/libX.a/bin/rps", "/usr/bin/srload", "/usr/lib/libX.a/bin/sparcv7/rps", "/usr/sbin/modcheck", }, Dir: []string{ "/usr/lib/libX.a", "/usr/lib/libX.a/bin", "/usr/lib/libX.a/bin/sparcv7", "/usr/share/man...", }, Ksyms: []string{}, }, { Name: "zaRwT.KiT Rootkit", File: []string{ "/dev/rd/s/sendmeil", "/dev/ttyf", "/dev/ttyp", "/dev/ttyn", "/rk/tulz", }, Dir: []string{ "/rk", "/dev/rd/s", }, Ksyms: []string{}, }, { Name: "ZK Rootkit", File: []string{ "/usr/share/.zk/zk", "/usr/X11R6/.zk/xfs", "/usr/X11R6/.zk/echo", "/etc/1ssue.net", "/etc/sysconfig/console/load.zk", }, Dir: []string{ "/usr/share/.zk", "/usr/X11R6/.zk", }, Ksyms: []string{}, }, { Name: "Miscellaneous login backdoors", File: []string{ "/bin/.login", "/sbin/.login", }, Dir: []string{}, Ksyms: []string{}, }, { Name: "Sniffer log", File: []string{ "/usr/lib/libice.log", "/dev/prom/sn.l", "/dev/fd/.88/zxsniff.log", }, Dir: []string{}, Ksyms: []string{}, }, { Name: "Suspicious dir", File: []string{}, Dir: []string{ "/usr/X11R6/bin/.,/copy", "/dev/rd/cdb", }, Ksyms: []string{}, }, { Name: "Apache backdoor", File: []string{ "/etc/apache2/mods-enabled/mod_rootme.so", "/etc/apache2/mods-enabled/mod_rootme2.so", "/etc/httpd/modules/mod_rootme.so", "/etc/httpd/modules/mod_rootme2.so", "/usr/apache/libexec/mod_rootme.so", "/usr/apache/libexec/mod_rootme2.so", "/usr/lib/modules/mod_rootme.so", "/usr/lib/modules/mod_rootme2.so", "/usr/local/apache/modules/mod_rootme.so", "/usr/local/apache/modules/mod_rootme2.so", "/usr/local/apache/conf/mod_rootme.so", "/usr/local/apache/conf/mod_rootme2.so", "/usr/local/etc/apache/mod_rootme.so", "/usr/local/etc/apache/mod_rootme2.so", "/etc/apache/mod_rootme.so", "/etc/apache/mod_rootme2.so", "/etc/httpd/conf/mod_rootme.so", "/etc/httpd/conf/mod_rootme2.so", }, Dir: []string{}, Ksyms: []string{}, }, } KcallList = []*SyscallEntry{}/* 329 elements not displayed */ )
Functions ¶
func BytesToUint ¶
Types ¶
type KallSyms ¶
type KallSyms struct { Version *KernelVersion SyscallEntry *Ksyscall KallsymsMap map[string]KallsymsEntry KernelTextRange uint64 }
type KallsymsEntry ¶
type KcoreMemory ¶
type KcoreMemory struct { FileHandle api.File FileHeader *elf.Header64 FileToVaddrOffset int64 TextAddr uint64 TextSize uint64 KernelTextRange uint64 // contains filtered or unexported fields }
func (*KcoreMemory) FindModule ¶
func (kcore *KcoreMemory) FindModule( addr uint64, modOffset int, version *KernelVersion, ) (ModuleInfo, error)
func (*KcoreMemory) Init ¶
func (kcore *KcoreMemory) Init( apiFileSystem api.FileSystem, textAddr uint64, ) error
type KernelModules ¶
type KernelModules struct { ModuleList []*ModuleInfo ModDetail event.FileDetail ModOffset int }
func (*KernelModules) BinarySearch ¶
func (kmod *KernelModules) BinarySearch(addr uint64) int
func (*KernelModules) Init ¶
func (kmod *KernelModules) Init(apiFileSystem api.FileSystem) error
func (*KernelModules) Insert ¶
func (kmod *KernelModules) Insert(index int, value *ModuleInfo)
type KernelVersion ¶
func (*KernelVersion) GetKernelVersion ¶
func (version *KernelVersion) GetKernelVersion(apiFileSystem api.FileSystem) error
func (*KernelVersion) ParseVersionString ¶
func (version *KernelVersion) ParseVersionString(versionString string) error
type Ksyscall ¶
type Ksyscall struct { SyscallList []*SyscallEntry SyscallMap map[string]int }
type ModuleInfo ¶
type RootkitRule ¶
type SyscallEntry ¶
Click to show internal directories.
Click to hide internal directories.