Information about Suspicious files¶
The files listed here were found in some infected/owned machines. They are not part of any rootkit, but some “crackers” use them. They can be a log of some sniffer, a sniffer or a lot of other things.
Take a careful look if you find any of these files in your system.
More Information¶
N/A
Origin of Rule¶
N/A
File¶
- etc/rc.d/init.d/rc.modules
- lib/ldd.so
- usr/man/muie
- usr/X11R6/include/pain
- usr/bin/sourcemask
- usr/bin/ras2xm
- usr/bin/ddc
- usr/bin/jdc
- usr/sbin/in.telnet
- sbin/vobiscum
- usr/sbin/jcd
- usr/sbin/atd2
- usr/bin/ishit
- usr/bin/.etc
- usr/bin/xstat
- var/run/.tmp
- usr/man/man1/lib/.lib
- usr/man/man2/.man8
- var/run/.pid
- lib/.so
- lib/.fx
- lib/lblip.tk
- usr/lib/.fx
- var/local/.lpd
- dev/rd/cdb
- dev/.rd/
- usr/lib/pt07
- usr/bin/atm
- tmp/.cheese
- dev/.arctic
- dev/.xman
- dev/srd0
- dev/ptyzx
- dev/ptyzg
- dev/xdf1
- dev/ttyop
- dev/ttyof
- dev/hd5
- dev/hd6
- dev/hd7
- dev/hdx1
- dev/hdx2
- dev/xdf2
- dev/ptyp
- dev/ptyr
- */.src
- *last.cgi
- *nobody.cgi
- *void.cgi
- *all4one.cgi
- *xntps
- */.xman
- */.arctic
- *psybnc
- *mech.session
- *sshdu
Note
All files with an “*” need to be search in all system
If you have any more Information about this rootkits sent to rootkits at ossec.net