[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-dev] ossec-hids: rootkit_files.txt (HEAD) [dcid]
Module name: ossec-hids
Changes by: dcid 06/09/01 14:17:41
Modified files:
rootkit_files.txt
Log message:
Description: Adding option to disable auto ignore. The option is "auto_ignore" under syscheck. It is set to "yes" by default. Adding more informatino about the ZK rootkit
Reviewed by: dcid
Bug: http://www.ossec.net/bugs/show_bug.cgi?id=2
Index: rootkit_files.txt
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/rootcheck/db/rootkit_files.txt,v
diff -u -r1.12 -r1.13
--- rootkit_files.txt 9 Aug 2006 00:42:43 -0000 1.12
+++ rootkit_files.txt 1 Sep 2006 17:17:41 -0000 1.13
@@ -380,6 +380,17 @@
*/phalanx ! PHALANX rootkit ::
+# ZK rootkit (http://honeyblog.org/junkyard/reports/redhat-compromise2.pdf)
+# and from chkrootkit
+usr/share/.zk ! ZK rootkit ::
+usr/share/.zk/zk ! ZK rootkit ::
+etc/sysconfig/console/load.zk ! ZK rootkit ::
+etc/1ssue.net ! ZK rootkit ::
+usr/X11R6/.zk ! ZK rootkit ::
+usr/X11R6/.zk/xfs ! ZK rootkit ::
+usr/X11R6/.zk/echo ! ZK rootkit ::
+
+
# Public sniffers
*/.linux-sniff ! Sniffer log ::
*/sniff-l0g ! Sniffer log ::
@@ -441,3 +452,6 @@
usr/bin/snick ! Suspicious file ::rootkits/Suspicious.php
usr/bin/kfl ! Suspicious file ::rootkits/Suspicious.php
*/.log ! Suspicious file ::rootkits/Suspicious.php
+*/ecmf ! Suspicious file ::rootkits/Suspicious.php
+*/mirkforce ! Suspicious file ::rootkits/Suspicious.php
+*/mfclean ! Suspicious file ::rootkits/Suspicious.php
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.