{ "platform": "linux", "version": "1.4.5", "queries": { "bash_door": { "query": "select * from file where path in ('/tmp/mcliZokhb', '/tmp/mclzaKmfa');", "interval": "3600", "description": "bash_door", "value": "Artifacts used by this malware", "platform": "linux" }, "slapper_installed": { "query": "select * from file where path in ('/tmp/.bugtraq', '/tmp/.bugtraq.c', '/tmp/.cinik', '/tmp/.b', '/tmp/httpd', '/tmp./update', '/tmp/.unlock', '/tmp/.font-unix/.cinik', '/tmp/.cinik');", "interval": "3600", "description": "slapper_installed", "value": "Artifacts used by this malware", "platform": "linux" }, "mithra`s_rootkit": { "query": "select * from file where path in ('/usr/lib/locale/uboot');", "interval": "3600", "description": "mithra`s_rootkit", "value": "Artifacts used by this malware", "platform": "linux" }, "omega_worm": { "query": "select * from file where path in ('/dev/chr');", "interval": "3600", "description": "omega_worm", "value": "Artifacts used by this malware", "platform": "linux" }, "kenga3_rootkit": { "query": "select * from file where path in ('/usr/include/. .');", "interval": "3600", "description": "kenga3_rootkit", "value": "Artifacts used by this malware", "platform": "linux" }, "sadmind/iis_worm": { "query": "select * from file where path in ('/dev/cuc');", "interval": "3600", "description": "sadmind/iis_worm", "value": "Artifacts used by this malware", "platform": "linux" }, "rsha": { "query": "select * from file where path in ('/usr/bin/kr4p', '/usr/bin/n3tstat', '/usr/bin/chsh2', '/usr/bin/slice2', '/etc/rc.d/rsha');", "interval": "3600", "description": "rsha", "value": "Artifacts used by this malware", "platform": "linux" }, "old_rootkits": { "query": "select * from file where path in ('/usr/include/rpc/ ../kit', '/usr/include/rpc/ ../kit2', '/usr/doc/.sl', '/usr/doc/.sp', '/usr/doc/.statnet', '/usr/doc/.logdsys', '/usr/doc/.dpct', '/usr/doc/.gifnocfi', '/usr/doc/.dnif', '/usr/doc/.nigol');", "interval": "3600", "description": "old_rootkits", "value": "Artifacts used by this malware", "platform": "linux" }, "telekit_trojan": { "query": "select * from file where path in ('/dev/hda06', '/usr/info/libc1.so');", "interval": "3600", "description": "telekit_trojan", "value": "Artifacts used by this malware", "platform": "linux" }, "tc2_worm": { "query": "select * from file where path in ('/usr/info/.tc2k', '/usr/bin/util', '/usr/sbin/initcheck', '/usr/sbin/ldb');", "interval": "3600", "description": "tc2_worm", "value": "Artifacts used by this malware", "platform": "linux" }, "shitc": { "query": "select * from file where path in ('/bin/home', '/sbin/home', '/usr/sbin/in.slogind');", "interval": "3600", "description": "shitc", "value": "Artifacts used by this malware", "platform": "linux" }, "rh_sharpe": { "query": "select * from file where path in ('/bin/.ps', '/usr/bin/cleaner', '/usr/bin/slice', '/usr/bin/vadim', '/usr/bin/.ps', '/bin/.lpstree', '/usr/bin/.lpstree', '/usr/bin/lnetstat', '/bin/lnetstat', '/usr/bin/ldu', '/bin/ldu', '/usr/bin/lkillall', '/bin/lkillall', '/usr/include/rpcsvc/du');", "interval": "3600", "description": "rh_sharpe", "value": "Artifacts used by this malware", "platform": "linux" }, "showtee_/_romanian_rootkit": { "query": "select * from file where path in ('/usr/include/addr.h', '/usr/include/file.h', '/usr/include/syslogs.h', '/usr/include/proc.h');", "interval": "3600", "description": "showtee_/_romanian_rootkit", "value": "Artifacts used by this malware", "platform": "linux" }, "lrk_rootkit": { "query": "select * from file where path in ('/dev/ida/.inet');", "interval": "3600", "description": "lrk_rootkit", "value": "Artifacts used by this malware", "platform": "linux" }, "zk_rootkit": { "query": "select * from file where path in ('/usr/share/.zk', '/usr/share/.zk/zk', '/etc/1ssue.net', '/usr/X11R6/.zk', '/usr/X11R6/.zk/xfs', '/usr/X11R6/.zk/echo', '/etc/sysconfig/console/load.zk');", "interval": "3600", "description": "zk_rootkit", "value": "Artifacts used by this malware", "platform": "linux" }, "ramen_worm": { "query": "select * from file where path in ('/usr/lib/ldlibps.so', '/usr/lib/ldlibns.so', '/usr/lib/ldliblogin.so', '/usr/src/.poop', '/tmp/ramen.tgz', '/etc/xinetd.d/asp');", "interval": "3600", "description": "ramen_worm", "value": "Artifacts used by this malware", "platform": "linux" }, "maniac_rk": { "query": "select * from file where path in ('/usr/bin/mailrc');", "interval": "3600", "description": "maniac_rk", "value": "Artifacts used by this malware", "platform": "linux" }, "bmbl_rootkit": { "query": "select * from file where path in ('/etc/.bmbl', '/etc/.bmbl/sk');", "interval": "3600", "description": "bmbl_rootkit", "value": "Artifacts used by this malware", "platform": "linux" }, "suckit_rootkit": { "query": "select * from file where path in ('/lib/.x', '/lib/sk');", "interval": "3600", "description": "suckit_rootkit", "value": "Artifacts used by this malware", "platform": "linux" }, "adore_rootkit": { "query": "select * from file where path in ('/etc/bin/ava', '/etc/sbin/ava');", "interval": "3600", "description": "adore_rootkit", "value": "Artifacts used by this malware", "platform": "linux" }, "ldp_worm": { "query": "select * from file where path in ('/dev/.kork', '/bin/.login', '/bin/.ps');", "interval": "3600", "description": "ldp_worm", "value": "Artifacts used by this malware", "platform": "linux" }, "romanian_rootkit": { "query": "select * from file where path in ('/usr/sbin/initdl', '/usr/sbin/xntps');", "interval": "3600", "description": "romanian_rootkit", "value": "Artifacts used by this malware", "platform": "linux" }, "illogic_rootkit": { "query": "select * from file where path in ('/lib/security/.config', '/usr/bin/sia', '/etc/ld.so.hash');", "interval": "3600", "description": "illogic_rootkit", "value": "Artifacts used by this malware", "platform": "linux" }, "bobkit_rootkit": { "query": "select * from file where path in ('/usr/include/.../', '/usr/lib/.../', '/usr/sbin/.../', '/usr/bin/ntpsx', '/tmp/.bkp', '/usr/lib/.bkit-');", "interval": "3600", "description": "bobkit_rootkit", "value": "Artifacts used by this malware", "platform": "linux" }, "monkit": { "query": "select * from file where path in ('/lib/defs');", "interval": "3600", "description": "monkit", "value": "Artifacts used by this malware", "platform": "linux" }, "override_rootkit": { "query": "select * from file where path in ('/dev/grid-hide-pid-', '/dev/grid-unhide-pid-', '/dev/grid-show-pids', '/dev/grid-hide-port-', '/dev/grid-unhide-port-');", "interval": "3600", "description": "override_rootkit", "value": "Artifacts used by this malware", "platform": "linux" }, "madalin_rootkit": { "query": "select * from file where path in ('/usr/include/icekey.h', '/usr/include/iceconf.h', '/usr/include/iceseed.h');", "interval": "3600", "description": "madalin_rootkit", "value": "Artifacts used by this malware", "platform": "linux" }, "solaris_worm": { "query": "select * from file where path in ('/var/adm/.profile', '/var/spool/lp/.profile', '/var/adm/sa/.adm', '/var/spool/lp/admins/.lp');", "interval": "3600", "description": "solaris_worm", "value": "Artifacts used by this malware", "platform": "linux" }, "phalanx_rootkit": { "query": "select * from file where path in ('/usr/share/.home*', '/usr/share/.home*/tty', '/etc/host.ph1', '/bin/host.ph1');", "interval": "3600", "description": "phalanx_rootkit", "value": "Artifacts used by this malware", "platform": "linux" }, "ark_rootkit": { "query": "select * from file where path in ('/dev/ptyxx');", "interval": "3600", "description": "ark_rootkit", "value": "Artifacts used by this malware", "platform": "linux" }, "tribe_bot": { "query": "select * from file where path in ('/dev/wd4');", "interval": "3600", "description": "tribe_bot", "value": "Artifacts used by this malware", "platform": "linux" }, "cback_worm": { "query": "select * from file where path in ('/tmp/cback', '/tmp/derfiq');", "interval": "3600", "description": "cback_worm", "value": "Artifacts used by this malware", "platform": "linux" }, "optickit": { "query": "select * from file where path in ('/usr/bin/xchk', '/usr/bin/xsf', '/usr/bin/xsf', '/usr/bin/xchk');", "interval": "3600", "description": "optickit", "value": "Artifacts used by this malware", "platform": "linux" }, "anonoiyng_rootkit": { "query": "select * from file where path in ('/usr/sbin/mech', '/usr/sbin/kswapd');", "interval": "3600", "description": "anonoiyng_rootkit", "value": "Artifacts used by this malware", "platform": "linux" }, "loc_rookit": { "query": "select * from file where path in ('/tmp/xp', '/tmp/kidd0.c', '/tmp/kidd0');", "interval": "3600", "description": "loc_rookit", "value": "Artifacts used by this malware", "platform": "linux" }, "showtee": { "query": "select * from file where path in ('/usr/lib/.egcs', '/usr/lib/.wormie', '/usr/lib/.kinetic', '/usr/lib/liblog.o', '/usr/include/cron.h', '/usr/include/chk.h');", "interval": "3600", "description": "showtee", "value": "Artifacts used by this malware", "platform": "linux" }, "zarwt_rootkit": { "query": "select * from file where path in ('/bin/imin', '/bin/imout');", "interval": "3600", "description": "zarwt_rootkit", "value": "Artifacts used by this malware", "platform": "linux" }, "lion_worm": { "query": "select * from file where path in ('/dev/.lib', '/dev/.lib/1iOn.sh', '/bin/mjy', '/bin/in.telnetd', '/usr/info/torn');", "interval": "3600", "description": "lion_worm", "value": "Artifacts used by this malware", "platform": "linux" }, "suspicious_file": { "query": "select * from file where path in ('/etc/rc.d/init.d/rc.modules', '/lib/ldd.so', '/usr/man/muie', '/usr/X11R6/include/pain', '/usr/bin/sourcemask', '/usr/bin/ras2xm', '/usr/bin/ddc', '/usr/bin/jdc', '/usr/sbin/in.telnet', '/sbin/vobiscum', '/usr/sbin/jcd', '/usr/sbin/atd2', '/usr/bin/ishit', '/usr/bin/.etc', '/usr/bin/xstat', '/var/run/.tmp', '/usr/man/man1/lib/.lib', '/usr/man/man2/.man8', '/var/run/.pid', '/lib/.so', '/lib/.fx', '/lib/lblip.tk', '/usr/lib/.fx', '/var/local/.lpd', '/dev/rd/cdb', '/dev/.rd/', '/usr/lib/pt07', '/usr/bin/atm', '/tmp/.cheese', '/dev/.arctic', '/dev/.xman', '/dev/.golf', '/dev/srd0', '/dev/ptyzx', '/dev/ptyzg', '/dev/xdf1', '/dev/ttyop', '/dev/ttyof', '/dev/hd7', '/dev/hdx1', '/dev/hdx2', '/dev/xdf2', '/dev/ptyp', '/dev/ptyr', '/sbin/pback', '/usr/man/man3/psid', '/proc/kset', '/usr/bin/gib', '/usr/bin/snick', '/usr/bin/kfl', '/tmp/.dump', '/var/.x', '/var/.x/psotnic');", "interval": "3600", "description": "suspicious_file", "value": "Artifacts used by this malware", "platform": "linux" }, "apa_kit": { "query": "select * from file where path in ('/usr/share/.aPa');", "interval": "3600", "description": "apa_kit", "value": "Artifacts used by this malware", "platform": "linux" }, "enye_sec_rootkit": { "query": "select * from file where path in ('/etc/.enyelkmHIDE^IT.ko');", "interval": "3600", "description": "enye_sec_rootkit", "value": "Artifacts used by this malware", "platform": "linux" }, "rk17": { "query": "select * from file where path in ('/bin/rtty', '/bin/squit', '/sbin/pback', '/proc/kset', '/usr/src/linux/modules/autod.o', '/usr/src/linux/modules/soundx.o');", "interval": "3600", "description": "rk17", "value": "Artifacts used by this malware", "platform": "linux" }, "trk_rootkit": { "query": "select * from file where path in ('/usr/bin/soucemask', '/usr/bin/sourcemask');", "interval": "3600", "description": "trk_rootkit", "value": "Artifacts used by this malware", "platform": "linux" }, "scalper_installed": { "query": "select * from file where path in ('/tmp/.uua', '/tmp/.a');", "interval": "3600", "description": "scalper_installed", "value": "Artifacts used by this malware", "platform": "linux" }, "hidr00tkit": { "query": "select * from file where path in ('/var/lib/games/.k');", "interval": "3600", "description": "hidr00tkit", "value": "Artifacts used by this malware", "platform": "linux" }, "beastkit_rootkit": { "query": "select * from file where path in ('/usr/local/bin/bin', '/usr/man/.man10', '/usr/sbin/arobia', '/usr/lib/elm/arobia', '/usr/local/bin/.../bktd');", "interval": "3600", "description": "beastkit_rootkit", "value": "Artifacts used by this malware", "platform": "linux" }, "shv5_rootkit": { "query": "select * from file where path in ('/lib/libsh.so', '/usr/lib/libsh');", "interval": "3600", "description": "shv5_rootkit", "value": "Artifacts used by this malware", "platform": "linux" }, "esrk_rootkit": { "query": "select * from file where path in ('/usr/lib/tcl5.3');", "interval": "3600", "description": "esrk_rootkit", "value": "Artifacts used by this malware", "platform": "linux" }, "shkit_rootkit": { "query": "select * from file where path in ('/lib/security/.config', '/etc/ld.so.hash');", "interval": "3600", "description": "shkit_rootkit", "value": "Artifacts used by this malware", "platform": "linux" }, "knark_installed": { "query": "select * from file where path in ('/proc/knark', '/dev/.pizda', '/dev/.pula', '/dev/.pula');", "interval": "3600", "description": "knark_installed", "value": "Artifacts used by this malware", "platform": "linux" }, "volc_rootkit": { "query": "select * from file where path in ('/usr/lib/volc', '/usr/bin/volc');", "interval": "3600", "description": "volc_rootkit", "value": "Artifacts used by this malware", "platform": "linux" }, "fu_rootkit": { "query": "select * from file where path in ('/sbin/xc', '/usr/include/ivtype.h', '/bin/.lib');", "interval": "3600", "description": "fu_rootkit", "value": "Artifacts used by this malware", "platform": "linux" }, "ajakit_rootkit": { "query": "select * from file where path in ('/lib/.ligh.gh', '/lib/.libgh.gh', '/lib/.libgh-gh', '/dev/tux', '/dev/tux/.proc', '/dev/tux/.file');", "interval": "3600", "description": "ajakit_rootkit", "value": "Artifacts used by this malware", "platform": "linux" }, "monkit_found": { "query": "select * from file where path in ('/usr/lib/libpikapp.a');", "interval": "3600", "description": "monkit_found", "value": "Artifacts used by this malware", "platform": "linux" }, "t0rn_rootkit": { "query": "select * from file where path in ('/usr/src/.puta', '/usr/info/.t0rn', '/lib/ldlib.tk', '/etc/ttyhash', '/sbin/xlogin');", "interval": "3600", "description": "t0rn_rootkit", "value": "Artifacts used by this malware", "platform": "linux" }, "adore_worm": { "query": "select * from file where path in ('/dev/.shit/red.tgz', '/usr/lib/libt', '/usr/bin/adore');", "interval": "3600", "description": "adore_worm", "value": "Artifacts used by this malware", "platform": "linux" }, "55808.a_worm": { "query": "select * from file where path in ('/tmp/.../a', '/tmp/.../r');", "interval": "3600", "description": "55808.a_worm", "value": "Artifacts used by this malware", "platform": "linux" }, "tuxkit_rootkit": { "query": "select * from file where path in ('/dev/tux', '/usr/bin/xsf', '/usr/bin/xchk');", "interval": "3600", "description": "tuxkit_rootkit", "value": "Artifacts used by this malware", "platform": "linux" } } }