def _end(self, exc_inst=None, ignore_err=False):
'''
This method is called when the process ends normally or by an error.
'''
try:
# End the xUrllib (clear the cache) and create a new one, so it can
# be used by exploit plugins.
self.uriOpener.end()
self.uriOpener = xUrllib()
if exc_inst:
om.out.debug(str(exc_inst))
tm.join(joinAll=True)
tm.stopAllDaemons()
for plugin in self.plugins.plugins['grep']:
plugin.end()
# Also, close the output manager.
om.out.endOutputPlugins()
except Exception:
if not ignore_err:
raise
finally:
self.status.stop()
self.progress.stop()
# Remove all references to plugins from memory
self.plugins.zero_enabled_plugins()
# No targets to be scanned.
cf.cf.save('targets', [])
def _generate_404_knowledge( self, url ):
'''
Based on a URL, request something that we know is going to be a 404.
Afterwards analyze the 404's and summarise them.
@return: A list with 404 bodies.
'''
# Get the filename extension and create a 404 for it
extension = urlParser.getExtension( url )
domain_path = urlParser.getDomainPath( url )
# the result
self._response_body_list = []
#
# This is a list of the most common handlers, in some configurations, the 404
# depends on the handler, so I want to make sure that I catch the 404 for each one
#
handlers = ['py', 'php', 'asp', 'aspx', 'do', 'jsp', 'rb', 'do', 'gif', 'htm', extension]
handlers += ['pl', 'cgi', 'xhtml', 'htmls']
handlers = list(set(handlers))
for extension in handlers:
rand_alnum_file = createRandAlNum( 8 ) + '.' + extension
url404 = urlParser.urlJoin( domain_path , rand_alnum_file )
# Send the requests using threads:
targs = ( url404, )
tm.startFunction( target=self._send_404, args=targs , ownerObj=self )
# Wait for all threads to finish sending the requests.
tm.join( self )
#
# I have the bodies in self._response_body_list , but maybe they all look the same, so I'll
# filter the ones that look alike.
#
result = [ self._response_body_list[0], ]
for i in self._response_body_list:
for j in self._response_body_list:
if relative_distance_ge(i, j, IS_EQUAL_RATIO):
# They are equal, we are ok with that
continue
else:
# They are no equal, this means that we'll have to add this to the list
result.append(j)
# I don't need these anymore
self._response_body_list = None
# And I return the ones I need
result = list(set(result))
om.out.debug('The 404 body result database has a lenght of ' + str(len(result)) +'.')
return result
def _bruteforce(self, fr_list):
'''
@parameter fr_list: A list of fr's to be analyzed by the bruteforce plugins
@return: A list of the URL's that have been successfully bruteforced
'''
res = []
# Status
om.out.debug('Called _bruteforce()' )
self._w3af_core.status.set_phase('bruteforce')
# Progress
bruteforce_plugin_num = len(self._w3af_core.plugins.plugins['bruteforce'])
amount_of_tests = bruteforce_plugin_num * len(fr_list)
self._w3af_core.progress.set_total_amount( amount_of_tests )
for plugin in self._w3af_core.plugins.plugins['bruteforce']:
# Status
self._w3af_core.status.set_running_plugin( plugin.getName() )
for fr in fr_list:
# Status
self._w3af_core.status.set_current_fuzzable_request( fr )
# Sends each URL to the bruteforce plugin
try:
try:
new_frs = plugin.bruteforce_wrapper( fr )
finally:
tm.join( plugin )
except w3afException, e:
om.out.error( str(e) )
except Exception, e:
# Smart error handling, much better than just crashing.
# Doing this here and not with something similar to:
# sys.excepthook = handle_crash because we want to handle
# plugin exceptions in this way, and not framework
# exceptions
exec_info = sys.exc_info()
enabled_plugins = pprint_plugins(self._w3af_core)
exception_handler.handle( self._w3af_core.status, e ,
exec_info, enabled_plugins )
else:
res.extend( new_frs )
# Progress, I performed one test (no matter if it failed or not)
self._w3af_core.progress.inc()
def _audit(self):
om.out.debug('Called _audit()' )
enabled_plugins = self._w3af_core.plugins.getEnabledPlugins('audit')
audit_plugins = self._w3af_core.plugins.plugin_factory( enabled_plugins, 'audit')
# For progress reporting
self._w3af_core.status.set_phase('audit')
amount_of_tests = len(audit_plugins) * len(self._fuzzable_request_set)
self._w3af_core.progress.set_total_amount( amount_of_tests )
# This two loops do all the audit magic [KISS]
for plugin in audit_plugins:
# For status
self._w3af_core.status.set_running_plugin( plugin.getName() )
# Before running each plugin let's make sure we're logged in
self._auth_login()
#TODO: This is a horrible thing to do, we consume lots of memory
# for just a loop. The issue is that we had some strange
# "RuntimeError: Set changed size during iteration" and I had
# no time to solve them.
for fr in set(self._fuzzable_request_set):
# Sends each fuzzable request to the plugin
self._w3af_core.status.set_current_fuzzable_request( fr )
try:
try:
plugin.audit_wrapper( fr )
finally:
tm.join( plugin )
except w3afException, e:
om.out.error( str(e) )
except Exception, e:
# Smart error handling, much better than just crashing.
# Doing this here and not with something similar to:
# sys.excepthook = handle_crash because we want to handle
# plugin exceptions in this way, and not framework
# exceptions
exec_info = sys.exc_info()
enabled_plugins = pprint_plugins(self._w3af_core)
exception_handler.handle( self._w3af_core.status, e ,
exec_info, enabled_plugins )
# Performed one test, report it
self._w3af_core.progress.inc()
def api_read(self, parameters):
self.result = {}
self.k = 400
max_pid = self.shell.read('/proc/sys/kernel/pid_max')[:-1]
# Remove comment to debug
max_pid = 400
for pid in xrange(1, int(max_pid)):
targs = (pid, )
tm.startFunction( target=self._thread_read, args=targs, ownerObj=self )
tm.join( self )
return self.result
def _auth_login(self):
'''
Make login to the web application when it is needed.
'''
for plugin in self._w3af_core.plugins.plugins['auth']:
try:
try:
if not plugin.is_logged():
plugin.login()
finally:
tm.join(plugin)
except Exception, e:
# Smart error handling, much better than just crashing.
# Doing this here and not with something similar to:
# sys.excepthook = handle_crash because we want to handle
# plugin exceptions in this way, and not framework
# exceptions
exec_info = sys.exc_info()
enabled_plugins = pprint_plugins(self._w3af_core)
exception_handler.handle( self._w3af_core.status, e ,
exec_info, enabled_plugins )
def api_read(self, parameters):
files = []
self.result = {}
self.result['bad_kernel_modules'] = []
self.result['backdoor_files'] = []
self.k = 400
# AjaKit Rootkit
files.append('/dev/tux/.addr')
files.append('/dev/tux/.proc')
files.append('/dev/tux/.file')
files.append('/lib/.libgh-gh/cleaner')
files.append('/lib/.libgh-gh/Patch/patch')
files.append('/lib/.libgh-gh/sb0k')
files.append('/dev/tux')
files.append('/lib/.libgh-gh')
# aPa Kit Rootkit
files.append('/usr/share/.aPa')
# Apache Worm
files.append('/bin/.log')
# Ambient (ark) Rootkit
files.append('/usr/lib/.ark?')
files.append('/dev/ptyxx/.log')
files.append('/dev/ptyxx/.file')
files.append('/dev/ptyxx/.proc')
files.append('/dev/ptyxx/.addr')
files.append('/dev/ptyxx')
# Balaur Rootkit 2.0 (LRK5 based)
files.append('/usr/lib/liblog.o')
files.append('/usr/lib/.kinetic')
files.append('/usr/lib/.egcs')
files.append('/usr/lib/.wormie')
# Beastkit Rootkit
files.append('/usr/sbin/arobia')
files.append('/usr/sbin/idrun')
files.append('/usr/lib/elm/arobia/elm')
files.append('/usr/lib/elm/arobia/elm/hk')
files.append('/usr/lib/elm/arobia/elm/hk.pub')
files.append('/usr/lib/elm/arobia/elm/sc')
files.append('/usr/lib/elm/arobia/elm/sd.pp')
files.append('/usr/lib/elm/arobia/elm/sdco')
files.append('/usr/lib/elm/arobia/elm/srsd')
files.append('/lib/ldd.so/bktools')
# beX2 Rootkit
files.append('/usr/info/termcap.info-5.gz')
files.append('/usr/bin/sshd2')
files.append('/usr/include/bex')
# BOBkit Rootkit
files.append('/usr/sbin/ntpsx')
files.append('/usr/sbin/.../bkit-ava')
files.append('/usr/sbin/.../bkit-d')
files.append('/usr/sbin/.../bkit-shd')
files.append('/usr/sbin/.../bkit-f')
files.append('/usr/include/.../proc.h')
files.append('/usr/include/.../.bash_history')
files.append('/usr/include/.../bkit-get')
files.append('/usr/include/.../bkit-dl')
files.append('/usr/include/.../bkit-screen')
files.append('/usr/include/.../bkit-sleep')
files.append('/usr/lib/.../bkit-adore.o')
files.append('/usr/lib/.../ls')
files.append('/usr/lib/.../netstat')
files.append('/usr/lib/.../lsof')
files.append('/usr/lib/.../bkit-ssh/bkit-shdcfg')
files.append('/usr/lib/.../bkit-ssh/bkit-shhk')
files.append('/usr/lib/.../bkit-ssh/bkit-pw')
files.append('/usr/lib/.../bkit-ssh/bkit-shrs')
files.append('/usr/lib/.../bkit-ssh/bkit-mots')
files.append('/usr/lib/.../uconf.inv')
files.append('/usr/lib/.../psr')
files.append('/usr/lib/.../find')
files.append('/usr/lib/.../pstree')
files.append('/usr/lib/.../slocate')
files.append('/usr/lib/.../du')
files.append('/usr/lib/.../top')
files.append('/usr/sbin/...')
files.append('/usr/include/...')
files.append('/usr/include/.../.tmp')
files.append('/usr/lib/...')
files.append('/usr/lib/.../.ssh')
files.append('/usr/lib/.../bkit-ssh')
files.append('/usr/lib/.bkit-')
files.append('/tmp/.bkp')
# Boxer-0.99b3
# cb Rootkit (w00tkit by ZeeN) ')
# The '%' character represents a space.')
# xC.o = Adore LKM')
files.append('/dev/srd0')
files.append('/lib/libproc.so.2.0.6')
files.append('/dev/mounnt')
files.append('/etc/rc.d/init.d/init')
files.append('/usr/bin/.zeen/..%/cl')
files.append('/usr/bin/.zeen/..%/.x.tgz')
files.append('/usr/bin/.zeen/..%/statdx')
files.append('/usr/bin/.zeen/..%/wted')
files.append('/usr/bin/.zeen/..%/write')
files.append('/usr/bin/.zeen/..%/scan')
files.append('/usr/bin/.zeen/..%/sc')
files.append('/usr/bin/.zeen/..%/sl2')
files.append('/usr/bin/.zeen/..%/wroot')
files.append('/usr/bin/.zeen/..%/wscan')
files.append('/usr/bin/.zeen/..%/wu')
files.append('/usr/bin/.zeen/..%/v')
files.append('/usr/bin/.zeen/..%/read')
files.append('/usr/lib/sshrc')
files.append('/usr/lib/ssh_host_key')
files.append('/usr/lib/ssh_host_key.pub')
files.append('/usr/lib/ssh_random_seed')
files.append('/usr/lib/sshd_config')
files.append('/usr/lib/shosts.equiv')
files.append('/usr/lib/ssh_known_hosts')
files.append('/u/zappa/.ssh/pid')
files.append('/usr/bin/.system/..%/tcp.log')
files.append('/usr/bin/.zeen/..%/curatare/attrib')
files.append('/usr/bin/.zeen/..%/curatare/chattr')
files.append('/usr/bin/.zeen/..%/curatare/ps')
files.append('/usr/bin/.zeen/..%/curatare/pstree')
files.append('/usr/bin/.system/..%/.x/xC.o')
files.append('/usr/bin/.zeen')
files.append('/usr/bin/.zeen/..%/curatare')
files.append('/usr/bin/.zeen/..%/scan')
files.append('/usr/bin/.system/..%')
# CiNIK Worm (Slapper.B variant)
files.append('/tmp/.cinik')
files.append('/tmp/.font-unix/.cinik')
# CX Rootkit
files.append('/usr/lib/ldlibso')
files.append('/usr/lib/configlibso')
files.append('/usr/lib/shklibso')
files.append('/usr/lib/randomlibso')
files.append('/usr/lib/ldlibstrings.so')
files.append('/usr/lib/ldlibdu.so')
files.append('/usr/lib/ldlibns.so')
files.append('/usr/include/db')
files.append('/usr/include/cxk')
# Danny-Boy's Abuse Kit
files.append('/dev/mdev')
files.append('/usr/lib/libX.a')
# Devil Rootkit
files.append('/var/lib/games/.src')
files.append('/dev/dsx')
files.append('/dev/caca')
files.append('/dev/pro')
files.append('/bin/bye')
files.append('/bin/homedir')
files.append('/usr/bin/xfss')
files.append('/usr/sbin/tzava')
files.append('/usr/doc/tar/.../.dracusor/stuff/holber')
files.append('/usr/doc/tar/.../.dracusor/stuff/sense')
files.append('/usr/doc/tar/.../.dracusor/stuff/clear')
files.append('/usr/doc/tar/.../.dracusor/stuff/tzava')
files.append('/usr/doc/tar/.../.dracusor/stuff/citeste')
files.append('/usr/doc/tar/.../.dracusor/stuff/killrk')
files.append('/usr/doc/tar/.../.dracusor/stuff/searchlog')
files.append('/usr/doc/tar/.../.dracusor/stuff/gaoaza')
files.append('/usr/doc/tar/.../.dracusor/stuff/cleaner')
files.append('/usr/doc/tar/.../.dracusor/stuff/shk')
files.append('/usr/doc/tar/.../.dracusor/stuff/srs')
files.append('/usr/doc/tar/.../.dracusor/utile.tgz')
files.append('/usr/doc/tar/.../.dracusor/webpage')
files.append('/usr/doc/tar/.../.dracusor/getpsy')
files.append('/usr/doc/tar/.../.dracusor/getbnc')
files.append('/usr/doc/tar/.../.dracusor/getemech')
files.append('/usr/doc/tar/.../.dracusor/localroot.sh')
files.append('/usr/doc/tar/.../.dracusor/stuff/old/sense')
files.append('/usr/doc/tar/.../.dracusor')
# Dica-Kit (T0rn variant) Rootkit
files.append('/lib/.sso')
files.append('/lib/.so')
files.append('/var/run/...dica/clean')
files.append('/var/run/...dica/dxr')
files.append('/var/run/...dica/read')
files.append('/var/run/...dica/write')
files.append('/var/run/...dica/lf')
files.append('/var/run/...dica/xl')
files.append('/var/run/...dica/xdr')
files.append('/var/run/...dica/psg')
files.append('/var/run/...dica/secure')
files.append('/var/run/...dica/rdx')
files.append('/var/run/...dica/va')
files.append('/var/run/...dica/cl.sh')
files.append('/var/run/...dica/last.log')
files.append('/usr/bin/.etc')
files.append('/etc/sshd_config')
files.append('/etc/ssh_host_key')
files.append('/etc/ssh_random_seed')
files.append('/var/run/...dica')
files.append('/var/run/...dica/mh')
files.append('/var/run/...dica/scan')
# Dreams Rootkit
files.append('/dev/ttyoa')
files.append('/dev/ttyof')
files.append('/dev/ttyop')
files.append('/usr/bin/sense')
files.append('/usr/bin/sl2')
files.append('/usr/bin/logclear')
files.append('/usr/bin/(swapd)')
files.append('/usr/bin/initrd')
files.append('/usr/bin/crontabs')
files.append('/usr/bin/snfs')
files.append('/usr/lib/libsss')
files.append('/usr/lib/libsnf.log')
files.append('/usr/lib/libshtift/top')
files.append('/usr/lib/libshtift/ps')
files.append('/usr/lib/libshtift/netstat')
files.append('/usr/lib/libshtift/ls')
files.append('/usr/lib/libshtift/ifconfig')
files.append('/usr/include/linseed.h')
files.append('/usr/include/linpid.h')
files.append('/usr/include/linkey.h')
files.append('/usr/include/linconf.h')
files.append('/usr/include/iceseed.h')
files.append('/usr/include/icepid.h')
files.append('/usr/include/icekey.h')
files.append('/usr/include/iceconf.h" ')
files.append('/dev/ida/.hpd')
files.append('/usr/lib/libshtift')
# Duarawkz Rootkit
files.append('/usr/bin/duarawkz/loginpass')
files.append('/usr/bin/duarawkz')
# ENYE LKM v1.1, v1.2')
# Installer default.
files.append('/etc/.enyelkmHIDE^IT.ko')
files.append('/etc/.enyelkmOCULTAR.ko')
# Flea Linux Rootkit
files.append('/etc/ld.so.hash')
files.append('/lib/security/.config/ssh/sshd_config')
files.append('/lib/security/.config/ssh/ssh_host_key')
files.append('/lib/security/.config/ssh/ssh_host_key.pub')
files.append('/lib/security/.config/ssh/ssh_random_seed')
files.append('/usr/bin/ssh2d')
files.append('/usr/lib/ldlibns.so')
files.append('/usr/lib/ldlibps.so')
files.append('/usr/lib/ldlibpst.so')
files.append('/usr/lib/ldlibdu.so')
files.append('/usr/lib/ldlibct.so')
files.append('/lib/security/.config/ssh')
files.append('/dev/..0')
files.append('/dev/..0/backup')
# FreeBSD Rootkit (FBRK) catering to versions and compile-time defaults used by:
# 1.0 (1997, Method), 1.2 (1997, Method), "ImperialS-FBRK 1.0" (2001, Nyo)
files.append('/dev/ptyp')
files.append('/dev/ptyq')
files.append('/dev/ptyr')
files.append('/dev/ptys')
files.append('/dev/ptyt')
files.append('/dev/fd/.88/freshb-bsd')
files.append('/dev/fd/.88/fresht')
files.append('/dev/fd/.88/zxsniff')
files.append('/dev/fd/.88/zxsniff.log')
files.append('/dev/fd/.99/.ttyf00')
files.append('/dev/fd/.99/.ttyp00')
files.append('/dev/fd/.99/.ttyq00')
files.append('/dev/fd/.99/.ttys00')
files.append('/dev/fd/.99/.pwsx00')
files.append('/etc/.acid')
files.append('/usr/lib/.fx/sched_host.2')
files.append('/usr/lib/.fx/random_d.2')
files.append('/usr/lib/.fx/set_pid.2')
files.append('/usr/lib/.fx/setrgrp.2')
files.append('/usr/lib/.fx/TOHIDE')
files.append('/usr/lib/.fx/cons.saver')
files.append('/usr/lib/.fx/adore/ava/ava')
files.append('/usr/lib/.fx/adore/adore/adore.ko')
files.append('/bin/sysback')
files.append('/usr/local/bin/sysback')
files.append('/dev/fd/.88')
files.append('/dev/fd/.99')
files.append('/usr/lib/.fx')
files.append('/usr/lib/.fx/adore')
# Fu Rootkit
files.append('/sbin/xc')
files.append('/usr/include/ivtype.h')
files.append('/bin/.lib')
# Fuckit Rootkit
files.append('/lib/libproc.so.2.0.7')
files.append('/dev/proc/.bash_profile')
files.append('/dev/proc/.bashrc')
files.append('/dev/proc/.cshrc')
files.append('/dev/proc/fuckit/hax0r')
files.append('/dev/proc/fuckit/hax0rshell')
files.append('/dev/proc/fuckit/config/lports')
files.append('/dev/proc/fuckit/config/rports')
files.append('/dev/proc/fuckit/config/rkconf')
files.append('/dev/proc/fuckit/config/password')
files.append('/dev/proc/fuckit/config/progs')
files.append('/dev/proc/fuckit/system-bins/init')
files.append('/usr/lib/libcps.a')
files.append('/usr/lib/libtty.a')
files.append('/dev/proc')
files.append('/dev/proc/fuckit')
files.append('/dev/proc/fuckit/system-bins')
files.append('/dev/proc/toolz')
# GasKit Rootkit
files.append('/dev/dev/gaskit/sshd/sshdd')
files.append('/dev/dev')
files.append('/dev/dev/gaskit')
files.append('/dev/dev/gaskit/sshd')
# HjC Kit Rootkit
files.append('/dev/.hijackerz')
# ignoKit Rootkit
files.append('/lib/defs/p')
files.append('/lib/defs/q')
files.append('/lib/defs/r')
files.append('/lib/defs/s')
files.append('/lib/defs/t')
files.append('/usr/lib/defs/p')
files.append('/usr/lib/defs/q')
files.append('/usr/lib/defs/r')
files.append('/usr/lib/defs/s')
files.append('/usr/lib/defs/t')
files.append('/usr/lib/.libigno/pkunsec')
files.append('/usr/lib/.libigno/.igno/psybnc/psybnc')
files.append('/usr/lib/.libigno')
files.append('/usr/lib/.libigno/.igno')
# iLLogiC Rootkit (SunOS Rootkit variant)')
files.append('/dev/kmod')
files.append('/dev/dos')
files.append('/usr/lib/crth.o')
files.append('/usr/lib/crtz.o')
files.append('/etc/ld.so.hash')
files.append('/usr/bin/sia')
files.append('/usr/bin/ssh2d')
files.append('/lib/security/.config/sn')
files.append('/lib/security/.config/iver')
files.append('/lib/security/.config/uconf.inv')
files.append('/lib/security/.config/ssh/ssh_host_key')
files.append('/lib/security/.config/ssh/ssh_host_key.pub')
files.append('/lib/security/.config/ssh/sshport')
files.append('/lib/security/.config/ssh/ssh_random_seed')
files.append('/lib/security/.config/ava')
files.append('/lib/security/.config/cleaner')
files.append('/lib/security/.config/lpsched')
files.append('/lib/security/.config/sz')
files.append('/lib/security/.config/rcp')
files.append('/lib/security/.config/patcher')
files.append('/lib/security/.config/pg')
files.append('/lib/security/.config/crypt')
files.append('/lib/security/.config/utime')
files.append('/lib/security/.config/wget')
files.append('/lib/security/.config/instmod')
files.append('/lib/security/.config/bin/find')
files.append('/lib/security/.config/bin/du')
files.append('/lib/security/.config/bin/ls')
files.append('/lib/security/.config/bin/psr')
files.append('/lib/security/.config/bin/netstat')
files.append('/lib/security/.config/bin/su')
files.append('/lib/security/.config/bin/ping')
files.append('/lib/security/.config/bin/passwd')
files.append('/lib/security/.config')
files.append('/lib/security/.config/ssh')
files.append('/lib/security/.config/bin')
files.append('/lib/security/.config/backup')
files.append('/root/%%%/.dir')
files.append('/root/%%%/.dir/mass-scan')
files.append('/root/%%%/.dir/flood')
# Irix Rootkit (for Irix 6.x)')
files.append('/dev/pts/01')
files.append('/dev/pts/01/backup')
files.append('/dev/pts/01/etc')
files.append('/dev/pts/01/tmp')
# Kitko Rootkit')
files.append('/usr/src/redhat/SRPMS/...')
# Knark Rootkit')
files.append('/proc/knark/pids')
files.append('/proc/knark')
# ld-linuxv.so (LD_PRELOAD shared library rootkit)')
files.append('/lib/ld-linuxv.so.1')
files.append('/var/opt/_so_cache')
files.append('/var/opt/_so_cache/ld')
files.append('/var/opt/_so_cache/lc')
# Lion Worm')
files.append('/bin/in.telnetd')
files.append('/bin/mjy')
files.append('/usr/man/man1/man1/lib/.lib/mjy')
files.append('/usr/man/man1/man1/lib/.lib/in.telnetd')
files.append('/usr/man/man1/man1/lib/.lib/.x')
files.append('/dev/.lib/lib/scan/1i0n.sh')
files.append('/dev/.lib/lib/scan/hack.sh')
files.append('/dev/.lib/lib/scan/bind')
files.append('/dev/.lib/lib/scan/randb')
files.append('/dev/.lib/lib/scan/scan.sh')
files.append('/dev/.lib/lib/scan/pscan')
files.append('/dev/.lib/lib/scan/star.sh')
files.append('/dev/.lib/lib/scan/bindx.sh')
files.append('/dev/.lib/lib/scan/bindname.log')
files.append('/dev/.lib/lib/1i0n.sh')
files.append('/dev/.lib/lib/lib/netstat')
files.append('/dev/.lib/lib/lib/dev/.1addr')
files.append('/dev/.lib/lib/lib/dev/.1logz')
files.append('/dev/.lib/lib/lib/dev/.1proc')
files.append('/dev/.lib/lib/lib/dev/.1file')
# LKH-1.1')
# Lockit (a.k.a. LJK2) Rootkit')
files.append('/usr/lib/libmen.oo/.LJK2/ssh_config')
files.append('/usr/lib/libmen.oo/.LJK2/ssh_host_key')
files.append('/usr/lib/libmen.oo/.LJK2/ssh_host_key.pub')
files.append('/usr/lib/libmen.oo/.LJK2/ssh_random_seed*')
files.append('/usr/lib/libmen.oo/.LJK2/sshd_config')
files.append('/usr/lib/libmen.oo/.LJK2/backdoor/RK1bd')
files.append('/usr/lib/libmen.oo/.LJK2/backup/du')
files.append('/usr/lib/libmen.oo/.LJK2/backup/ifconfig')
files.append('/usr/lib/libmen.oo/.LJK2/backup/inetd.conf')
files.append('/usr/lib/libmen.oo/.LJK2/backup/locate')
files.append('/usr/lib/libmen.oo/.LJK2/backup/login')
files.append('/usr/lib/libmen.oo/.LJK2/backup/ls')
files.append('/usr/lib/libmen.oo/.LJK2/backup/netstat')
files.append('/usr/lib/libmen.oo/.LJK2/backup/ps')
files.append('/usr/lib/libmen.oo/.LJK2/backup/pstree')
files.append('/usr/lib/libmen.oo/.LJK2/backup/rc.sysinit')
files.append('/usr/lib/libmen.oo/.LJK2/backup/syslogd')
files.append('/usr/lib/libmen.oo/.LJK2/backup/tcpd')
files.append('/usr/lib/libmen.oo/.LJK2/backup/top')
files.append('/usr/lib/libmen.oo/.LJK2/clean/RK1sauber')
files.append('/usr/lib/libmen.oo/.LJK2/clean/RK1wted')
files.append('/usr/lib/libmen.oo/.LJK2/hack/RK1parse')
files.append('/usr/lib/libmen.oo/.LJK2/hack/RK1sniff')
files.append('/usr/lib/libmen.oo/.LJK2/hide/.RK1addr')
files.append('/usr/lib/libmen.oo/.LJK2/hide/.RK1dir')
files.append('/usr/lib/libmen.oo/.LJK2/hide/.RK1log')
files.append('/usr/lib/libmen.oo/.LJK2/hide/.RK1proc')
files.append('/usr/lib/libmen.oo/.LJK2/hide/RK1phidemod.c')
files.append('/usr/lib/libmen.oo/.LJK2/modules/README.modules')
files.append('/usr/lib/libmen.oo/.LJK2/modules/RK1hidem.c')
files.append('/usr/lib/libmen.oo/.LJK2/modules/RK1phide')
files.append('/usr/lib/libmen.oo/.LJK2/sshconfig/RK1ssh')
files.append('/usr/lib/libmen.oo/.LJK2')
# MRK (MiCrobul?) RootKit (based on Devil RootKit, also see Xzibit)')
files.append('/dev/ida/.inet/pid')
files.append('/dev/ida/.inet/ssh_host_key')
files.append('/dev/ida/.inet/ssh_random_seed')
files.append('/dev/ida/.inet/tcp.log')
files.append('/dev/ida/.inet')
files.append('/var/spool/cron/.sh')
# Mood-NT Rootkit')
# Binary is by default called "mood-nt" but can be anywhere.')
# Here we look for collaterals, from include/prefs.h defaults')
# until sig-based dirscan() is added.')
files.append('/sbin/init__mood-nt-_-_cthulhu')
files.append('/_cthulhu/mood-nt.init')
files.append('/_cthulhu/mood-nt.conf')
files.append('/_cthulhu/mood-nt.sniff')
files.append('/_cthulhu')
# Ni0 Rootkit')
files.append('/var/lock/subsys/...datafile.../...net...')
files.append('/var/lock/subsys/...datafile.../...port...')
files.append('/var/lock/subsys/...datafile.../...ps...')
files.append('/var/lock/subsys/...datafile.../...file...')
files.append('/tmp/waza')
files.append('/var/lock/subsys/...datafile...')
files.append('/usr/sbin/es')
# Ohhara Rootkit')
files.append('/var/lock/subsys/...datafile.../...datafile.../in.smbd.log')
files.append('/var/lock/subsys/...datafile...')
files.append('/var/lock/subsys/...datafile.../...datafile...')
files.append('/var/lock/subsys/...datafile.../...datafile.../bin')
files.append('/var/lock/subsys/...datafile.../...datafile.../usr/bin')
files.append('/var/lock/subsys/...datafile.../...datafile.../usr/sbin')
files.append('/var/lock/subsys/...datafile.../...datafile.../lib/security')
# Optic Kit (Tux variant) Rootkit')
files.append('/dev/tux')
files.append('/usr/bin/xchk')
files.append('/usr/bin/xsf')
files.append('/usr/bin/ssh2d')
# OSX Rootkit 0.2.1')
files.append('/dev/.rk/nc')
files.append('/dev/.rk/diepu')
files.append('/dev/.rk/backd')
files.append('/dev/.rk')
files.append('/users/LDAP-daemon')
files.append('/tmp/.work')
files.append('/Library/StartupItems/opener')
# Oz Rootkit')
files.append('/dev/.oz/.nap/rkit/terror')
files.append('/dev/.oz')
# Phalanx Rootkit')
files.append('/uNFuNF')
files.append('/etc/host.ph1')
files.append('/bin/host.ph1')
files.append('/usr/share/.home.ph1/phalanx')
files.append('/usr/share/.home.ph1/cb')
files.append('/usr/share/.home.ph1/kebab')
files.append('/usr/share/.home.ph1')
files.append('/usr/share/.home.ph1/tty')
# Phalanx2 Rootkit')
files.append('/etc/khubd.p2/.p2rc')
files.append('/etc/khubd.p2/.phalanx2')
files.append('/etc/khubd.p2/.sniff')
files.append('/etc/khubd.p2/sshgrab.py')
files.append('/etc/lolzz.p2/.p2rc')
files.append('/etc/lolzz.p2/.phalanx2')
files.append('/etc/lolzz.p2/.sniff')
files.append('/etc/lolzz.p2/sshgrab.py')
files.append('/etc/cron.d/zupzzplaceholder')
files.append('/usr/lib/zupzz.p2/.p-2.3d')
files.append('/usr/lib/zupzz.p2/.p2rc')
files.append('/etc/khubd.p2')
files.append('/etc/lolzz.p2')
files.append('/usr/lib/zupzz.p2')
# Portacelo Rootkit')
files.append('/var/lib/.../.ak')
files.append('/var/lib/.../.hk')
files.append('/var/lib/.../.rs')
files.append('/var/lib/.../.p')
files.append('/var/lib/.../getty')
files.append('/var/lib/.../lkt.o')
files.append('/var/lib/.../show')
files.append('/var/lib/.../nlkt.o')
files.append('/var/lib/.../ssshrc')
files.append('/var/lib/.../sssh_equiv')
files.append('/var/lib/.../sssh_known_hosts')
files.append('/var/lib/.../sssh_pid ~/.sssh/known_hosts')
# R3dstorm Toolkit')
files.append('/var/log/tk02/see_all')
files.append('/var/log/tk02/.scris')
files.append('/bin/.../sshd/sbin/sshd1')
files.append('/bin/.../hate/sk')
files.append('/bin/.../see_all')
files.append('/var/log/tk02')
files.append('/var/log/tk02/old')
files.append('/bin/...')
# RH-Sharpe's Rootkit')
files.append('/bin/lps')
files.append('/usr/bin/lpstree')
files.append('/usr/bin/ltop')
files.append('/usr/bin/lkillall')
files.append('/usr/bin/ldu')
files.append('/usr/bin/lnetstat')
files.append('/usr/bin/wp')
files.append('/usr/bin/shad')
files.append('/usr/bin/vadim')
files.append('/usr/bin/slice')
files.append('/usr/bin/cleaner')
files.append('/usr/include/rpcsvc/du')
# RSHA's Rootkit')
files.append('/bin/kr4p')
files.append('/usr/bin/n3tstat')
files.append('/usr/bin/chsh2')
files.append('/usr/bin/slice2')
files.append('/usr/src/linux/arch/alpha/lib/.lib/.1proc')
files.append('/etc/rc.d/arch/alpha/lib/.lib/.1addr')
files.append('/etc/rc.d/rsha')
files.append('/etc/rc.d/arch/alpha/lib/.lib')
# Shutdown Rootkit')
# The '%' character represents a space.')
files.append('/usr/man/man5/..%/.dir/scannah/asus')
files.append('/usr/man/man5/..%/.dir/see')
files.append('/usr/man/man5/..%/.dir/nscd')
files.append('/usr/man/man5/..%/.dir/alpd')
files.append('/etc/rc.d/rc.local%')
files.append('/usr/man/man5/..%/.dir')
files.append('/usr/man/man5/..%/.dir/scannah')
files.append('/etc/rc.d/rc0.d/..%/.dir')
# Scalper (FreeBSD.Scalper.Worm) Worm')
files.append('/tmp/.a')
files.append('/tmp/.uua')
# SHV4 Rootkit')
files.append('/etc/ld.so.hash')
files.append('/lib/libext-2.so.7')
files.append('/lib/lidps1.so')
files.append('/lib/libproc.a')
files.append('/lib/libproc.so.2.0.6')
files.append('/lib/ldd.so/tks')
files.append('/lib/ldd.so/tkp')
files.append('/lib/ldd.so/tksb')
files.append('/lib/security/.config/sshd')
files.append('/lib/security/.config/ssh/ssh_host_key')
files.append('/lib/security/.config/ssh/ssh_host_key.pub')
files.append('/lib/security/.config/ssh/ssh_random_seed')
files.append('/usr/include/file.h')
files.append('/usr/include/hosts.h')
files.append('/usr/include/lidps1.so')
files.append('/usr/include/log.h')
files.append('/usr/include/proc.h')
files.append('/usr/sbin/xntps')
files.append('/dev/srd0')
files.append('/lib/ldd.so')
files.append('/lib/security/.config')
files.append('/lib/security/.config/ssh')
# SHV5 Rootkit')
files.append('/etc/sh.conf')
files.append('/lib/libproc.a')
files.append('/lib/libproc.so.2.0.6')
files.append('/lib/lidps1.so')
files.append('/lib/libsh.so/bash')
files.append('/usr/include/file.h')
files.append('/usr/include/hosts.h')
files.append('/usr/include/log.h')
files.append('/usr/include/proc.h')
files.append('/lib/libsh.so/shdcf2')
files.append('/lib/libsh.so/shhk')
files.append('/lib/libsh.so/shhk.pub')
files.append('/lib/libsh.so/shrs')
files.append('/usr/lib/libsh/.bashrc')
files.append('/usr/lib/libsh/shsb')
files.append('/usr/lib/libsh/hide')
files.append('/usr/lib/libsh/.sniff/shsniff')
files.append('/usr/lib/libsh/.sniff/shp')
files.append('/dev/srd0')
files.append('/lib/libsh.so')
files.append('/usr/lib/libsh')
files.append('/usr/lib/libsh/utilz')
files.append('/usr/lib/libsh/.backup')
# Sin Rootkit')
files.append('/dev/.haos/haos1/.f/Denyed')
files.append('/dev/ttyoa')
files.append('/dev/ttyof')
files.append('/dev/ttyop')
files.append('/dev/ttyos')
files.append('/usr/lib/.lib')
files.append('/usr/lib/sn/.X')
files.append('/usr/lib/sn/.sys')
files.append('/usr/lib/ld/.X')
files.append('/usr/man/man1/...')
files.append('/usr/man/man1/.../.m')
files.append('/usr/man/man1/.../.w')
files.append('/usr/lib/sn')
files.append('/usr/lib/man1/...')
files.append('/dev/.haos')
# Slapper Worm')
files.append('/tmp/.bugtraq')
files.append('/tmp/.uubugtraq')
files.append('/tmp/.bugtraq.c')
files.append('/tmp/httpd')
files.append('/tmp/.unlock')
files.append('/tmp/update')
files.append('/tmp/.cinik')
files.append('/tmp/.b')
# Sneakin Rootkit')
files.append('/tmp/.X11-unix/.../rk')
# 'Spanish' Rootkit')
files.append('/dev/ptyq')
files.append('/bin/ad')
files.append('/bin/ava')
files.append('/bin/server')
files.append('/usr/sbin/rescue')
files.append('/usr/share/.../chrps')
files.append('/usr/share/.../chrifconfig')
files.append('/usr/share/.../netstat')
files.append('/usr/share/.../linsniffer')
files.append('/usr/share/.../charbd')
files.append('/usr/share/.../charbd2')
files.append('/usr/share/.../charbd3')
files.append('/usr/share/.../charbd4')
files.append('/usr/man/tmp/update.tgz')
files.append('/var/lib/rpm/db.rpm')
files.append('/var/cache/man/.cat')
files.append('/var/spool/lpd/remote/.lpq')
files.append('/usr/share/...')
# Suckit Rootkit')
files.append('/sbin/initsk12')
files.append('/sbin/initxrk')
files.append('/usr/bin/null')
files.append('/usr/share/locale/sk/.sk12/sk')
files.append('/etc/rc.d/rc0.d/S23kmdac')
files.append('/etc/rc.d/rc1.d/S23kmdac')
files.append('/etc/rc.d/rc2.d/S23kmdac')
files.append('/etc/rc.d/rc3.d/S23kmdac')
files.append('/etc/rc.d/rc4.d/S23kmdac')
files.append('/etc/rc.d/rc5.d/S23kmdac')
files.append('/etc/rc.d/rc6.d/S23kmdac')
files.append('/dev/sdhu0/tehdrakg')
files.append('/etc/.MG')
files.append('/usr/share/locale/sk/.sk12')
files.append('/usr/lib/perl5/site_perl/i386-linux/auto/TimeDate/.packlist')
# SunOS / NSDAP Rootkit')
files.append('/dev/pts/01/55su')
files.append('/dev/pts/01/55ps')
files.append('/dev/pts/01/55ping')
files.append('/dev/pts/01/55login')
files.append('/dev/pts/01/PATCHER_COMPLETED')
files.append('/dev/prom/sn.l')
files.append('/dev/prom/dos')
files.append('/usr/lib/vold/nsdap/.kit')
files.append('/usr/lib/vold/nsdap/defines')
files.append('/usr/lib/vold/nsdap/patcher')
files.append('/usr/lib/vold/nsdap/pg')
files.append('/usr/lib/vold/nsdap/cleaner')
files.append('/usr/lib/vold/nsdap/utime')
files.append('/usr/lib/vold/nsdap/crypt')
files.append('/usr/lib/vold/nsdap/findkit')
files.append('/usr/lib/vold/nsdap/sn2')
files.append('/usr/lib/vold/nsdap/sniffload')
files.append('/usr/lib/vold/nsdap/runsniff')
files.append('/usr/lib/lpset')
files.append('/usr/lib/lpstart')
files.append('/usr/bin/mc68000')
files.append('/usr/bin/mc68010')
files.append('/usr/bin/mc68020')
files.append('/usr/ucb/bin/ps')
files.append('/usr/bin/m68k')
files.append('/usr/bin/sun2')
files.append('/usr/bin/mc68030')
files.append('/usr/bin/mc68040')
files.append('/usr/bin/sun3')
files.append('/usr/bin/sun3x')
files.append('/usr/bin/lso')
files.append('/usr/bin/u370')
files.append('/dev/pts/01')
files.append('/dev/prom')
files.append('/usr/lib/vold/nsdap')
files.append('/.pat')
# SunOS Rootkit')
files.append('/etc/ld.so.hash')
files.append('/lib/libext-2.so.7')
files.append('/usr/bin/ssh2d')
files.append('/bin/xlogin')
files.append('/usr/lib/crth.o')
files.append('/usr/lib/crtz.o')
files.append('/sbin/login')
files.append('/lib/security/.config/sn')
files.append('/lib/security/.config/lpsched')
files.append('/dev/kmod')
files.append('/dev/dos')
# Superkit Rootkit (Suckit 1.3b-based)')
files.append('/usr/man/.sman/sk/backsh')
files.append('/usr/man/.sman/sk/izbtrag')
files.append('/usr/man/.sman/sk/sksniff')
files.append('/var/www/cgi-bin/cgiback.cgi')
files.append('/usr/man/.sman/sk')
# Telnet Backdoor')
files.append('/usr/lib/.tbd')
# TeLeKiT Rootkit')
files.append('/usr/man/man3/.../TeLeKiT/bin/sniff')
files.append('/usr/man/man3/.../TeLeKiT/bin/telnetd')
files.append('/usr/man/man3/.../TeLeKiT/bin/teleulo')
files.append('/usr/man/man3/.../cl')
files.append('/dev/ptyr')
files.append('/dev/ptyp')
files.append('/dev/ptyq')
files.append('/dev/hda06')
files.append('/usr/info/libc1.so')
files.append('/usr/man/man3/...')
files.append('/usr/man/man3/.../lsniff')
files.append('/usr/man/man3/.../TeLeKiT')
# T0rn (and misc) Rootkit')
files.append('/dev/.lib/lib/lib/t0rns')
files.append('/dev/.lib/lib/lib/du')
files.append('/dev/.lib/lib/lib/ls')
files.append('/dev/.lib/lib/lib/t0rnsb')
files.append('/dev/.lib/lib/lib/ps')
files.append('/dev/.lib/lib/lib/t0rnp')
files.append('/dev/.lib/lib/lib/find')
files.append('/dev/.lib/lib/lib/ifconfig')
files.append('/dev/.lib/lib/lib/pg')
files.append('/dev/.lib/lib/lib/ssh.tgz')
files.append('/dev/.lib/lib/lib/top')
files.append('/dev/.lib/lib/lib/sz')
files.append('/dev/.lib/lib/lib/login')
files.append('/dev/.lib/lib/lib/in.fingerd')
files.append('/dev/.lib/lib/lib/1i0n.sh')
files.append('/dev/.lib/lib/lib/pstree')
files.append('/dev/.lib/lib/lib/in.telnetd')
files.append('/dev/.lib/lib/lib/mjy')
files.append('/dev/.lib/lib/lib/sush')
files.append('/dev/.lib/lib/lib/tfn')
files.append('/dev/.lib/lib/lib/name')
files.append('/dev/.lib/lib/lib/getip.sh')
files.append('/usr/info/.torn/sh*')
files.append('/usr/src/.puta/.1addr')
files.append('/usr/src/.puta/.1file')
files.append('/usr/src/.puta/.1proc')
files.append('/usr/src/.puta/.1logz')
files.append('/usr/info/.t0rn')
files.append('/dev/.lib')
files.append('/dev/.lib/lib')
files.append('/dev/.lib/lib/lib')
files.append('/dev/.lib/lib/lib/dev')
files.append('/dev/.lib/lib/scan')
files.append('/usr/src/.puta')
files.append('/usr/man/man1/man1')
files.append('/usr/man/man1/man1/lib')
files.append('/usr/man/man1/man1/lib/.lib')
files.append('/usr/man/man1/man1/lib/.lib/.backup')
# trNkit Rootkit')
files.append('/usr/lib/libbins.la')
files.append('/usr/lib/libtcs.so')
files.append('/dev/.ttpy/ulogin.sh')
files.append('/dev/.ttpy/tcpshell.sh')
files.append('/dev/.ttpy/bupdu')
files.append('/dev/.ttpy/buloc')
files.append('/dev/.ttpy/buloc1')
files.append('/dev/.ttpy/buloc2')
files.append('/dev/.ttpy/stat')
files.append('/dev/.ttpy/backps')
files.append('/dev/.ttpy/tree')
files.append('/dev/.ttpy/topk')
files.append('/dev/.ttpy/wold')
files.append('/dev/.ttpy/whoold')
files.append('/dev/.ttpy/backdoors')
# Trojanit Kit Rootkit')
files.append('/bin/.ls')
files.append('/bin/.ps')
files.append('/bin/.netstat')
files.append('/usr/bin/.nop')
files.append('/usr/bin/.who')
# Tuxtendo (Tuxkit) Rootkit')
files.append('/lib/libproc.so.2.0.7')
files.append('/usr/bin/xchk')
files.append('/usr/bin/xsf')
files.append('/dev/tux/suidsh')
files.append('/dev/tux/.addr')
files.append('/dev/tux/.cron')
files.append('/dev/tux/.file')
files.append('/dev/tux/.log')
files.append('/dev/tux/.proc')
files.append('/dev/tux/.iface')
files.append('/dev/tux/.pw')
files.append('/dev/tux/.df')
files.append('/dev/tux/.ssh')
files.append('/dev/tux/.tux')
files.append('/dev/tux/ssh2/sshd2_config')
files.append('/dev/tux/ssh2/hostkey')
files.append('/dev/tux/ssh2/hostkey.pub')
files.append('/dev/tux/ssh2/logo')
files.append('/dev/tux/ssh2/random_seed')
files.append('/dev/tux/backup/crontab')
files.append('/dev/tux/backup/df')
files.append('/dev/tux/backup/dir')
files.append('/dev/tux/backup/find')
files.append('/dev/tux/backup/ifconfig')
files.append('/dev/tux/backup/locate')
files.append('/dev/tux/backup/netstat')
files.append('/dev/tux/backup/ps')
files.append('/dev/tux/backup/pstree')
files.append('/dev/tux/backup/syslogd')
files.append('/dev/tux/backup/tcpd')
files.append('/dev/tux/backup/top')
files.append('/dev/tux/backup/updatedb')
files.append('/dev/tux/backup/vdir')
files.append('/dev/tux')
files.append('/dev/tux/ssh2')
files.append('/dev/tux/backup')
# Universal Rootkit by K2 (URK) Release 0.9.8')
files.append('/dev/prom/sn.l')
files.append('/usr/lib/ldlibps.so')
files.append('/usr/lib/ldlibnet.so')
files.append('/dev/pts/01/uconf.inv')
files.append('/dev/pts/01/cleaner')
files.append('/dev/pts/01/bin/psniff')
files.append('/dev/pts/01/bin/du')
files.append('/dev/pts/01/bin/ls')
files.append('/dev/pts/01/bin/passwd')
files.append('/dev/pts/01/bin/ps')
files.append('/dev/pts/01/bin/psr')
files.append('/dev/pts/01/bin/su')
files.append('/dev/pts/01/bin/find')
files.append('/dev/pts/01/bin/netstat')
files.append('/dev/pts/01/bin/ping')
files.append('/dev/pts/01/bin/strings')
files.append('/dev/pts/01/bin/bash')
files.append('/usr/man/man1/xxxxxxbin/du')
files.append('/usr/man/man1/xxxxxxbin/ls')
files.append('/usr/man/man1/xxxxxxbin/passwd')
files.append('/usr/man/man1/xxxxxxbin/ps')
files.append('/usr/man/man1/xxxxxxbin/psr')
files.append('/usr/man/man1/xxxxxxbin/su')
files.append('/usr/man/man1/xxxxxxbin/find')
files.append('/usr/man/man1/xxxxxxbin/netstat')
files.append('/usr/man/man1/xxxxxxbin/ping')
files.append('/usr/man/man1/xxxxxxbin/strings')
files.append('/usr/man/man1/xxxxxxbin/bash')
files.append('/tmp/conf.inv')
files.append('/dev/prom')
files.append('/dev/pts/01')
files.append('/dev/pts/01/bin')
files.append('/usr/man/man1/xxxxxxbin')
# Also-see: /usr/lib/lpset (esniff), /var/lp/lpacct/ (files), /usr/lib/bnclp, /usr/lib/lpsys (identd),')
# Also-see: /usr/lib/lptd (backdoor?), /sbin/rc2 and /sbin/rc3 containing string "/usr/lib/lpstart",')
# Also-see: dos, psbnc, lpacct, USER, lp,')
# Also see: /etc/lpconfig vs /etc/ttyhash, uconv.inv vs urk.conf.')
# VcKit Rootkit')
files.append('/usr/include/linux/modules/lib.so')
files.append('/usr/include/linux/modules/lib.so/bin')
# Volc Rootkit')
# Omit listing system binaries that should be picked up by changed hashes.')
files.append('/usr/bin/volc')
files.append('/usr/lib/volc/backdoor/divine')
files.append('/usr/lib/volc/linsniff')
files.append('/etc/rc.d/rc1.d/S25sysconf')
files.append('/etc/rc.d/rc2.d/S25sysconf')
files.append('/etc/rc.d/rc3.d/S25sysconf')
files.append('/etc/rc.d/rc4.d/S25sysconf')
files.append('/etc/rc.d/rc5.d/S25sysconf')
files.append('/var/spool/.recent')
files.append('/var/spool/.recent/.files')
files.append('/usr/lib/volc')
files.append('/usr/lib/volc/backup')
# weaponX 0.1')
files.append('/System/Library/Extensions/WeaponX.kext')
files.append('/tmp/...')
# Xzibit Rootkit (also see MRK (MiCrobul?) RootKit)')
files.append('/dev/dsx')
files.append('/dev/caca')
files.append('/dev/ida/.inet/linsniffer')
files.append('/dev/ida/.inet/logclear')
files.append('/dev/ida/.inet/sense')
files.append('/dev/ida/.inet/sl2')
files.append('/dev/ida/.inet/sshdu')
files.append('/dev/ida/.inet/s')
files.append('/dev/ida/.inet/ssh_host_key')
files.append('/dev/ida/.inet/ssh_random_seed')
files.append('/dev/ida/.inet/sl2new.c')
files.append('/dev/ida/.inet/tcp.log')
files.append('/home/httpd/cgi-bin/becys.cgi')
files.append('/usr/local/httpd/cgi-bin/becys.cgi')
files.append('/usr/local/apache/cgi-bin/becys.cgi')
files.append('/www/httpd/cgi-bin/becys.cgi')
files.append('/www/cgi-bin/becys.cgi')
files.append('/dev/ida/.inet')
# X-Org SunOS Rootkit')
files.append('/usr/lib/libX.a/bin/tmpfl')
files.append('/usr/lib/libX.a/bin/rps')
files.append('/usr/bin/srload')
files.append('/usr/lib/libX.a/bin/sparcv7/rps')
files.append('/usr/sbin/modcheck')
files.append('/usr/lib/libX.a')
files.append('/usr/lib/libX.a/bin')
files.append('/usr/lib/libX.a/bin/sparcv7')
files.append('/usr/share/man...')
# zaRwT.KiT Rootkit')
files.append('/dev/rd/s/sendmeil')
files.append('/dev/ttyf')
files.append('/dev/ttyp')
files.append('/dev/ttyn')
files.append('/rk/tulz')
files.append('/rk')
files.append('/dev/rd/s')
# ZK Rootkit')
files.append('/usr/share/.zk/zk')
files.append('/usr/X11R6/.zk/xfs')
files.append('/usr/X11R6/.zk/echo')
files.append('/etc/1ssue.net')
files.append('/etc/sysconfig/console/load.zk')
files.append('/usr/share/.zk')
files.append('/usr/X11R6/.zk')
# Miscellaneous login backdoors')
files.append('/sbin/.login')
files.append('/bin/.login')
# Suspicious directories')
files.append('/usr/X11R6/bin/.,/copy')
files.append('/dev/rd/cdb')
# Known bad Linux kernel modules')
bad_kernel_modules = []
bad_kernel_modules.append('adore.o')
bad_kernel_modules.append('bkit-adore.o')
bad_kernel_modules.append('cleaner.o')
bad_kernel_modules.append('flkm.o')
bad_kernel_modules.append('knark.o')
bad_kernel_modules.append('modhide.o')
bad_kernel_modules.append('mod_klgr.o')
bad_kernel_modules.append('phide_mod.o')
bad_kernel_modules.append('vlogger.o')
bad_kernel_modules.append('p2.ko')
bad_kernel_modules.append('rpldev.o')
bad_kernel_modules.append('xC.o')
bad_kernel_modules.append('rpldev.o')
bad_kernel_modules.append('strings.o')
bad_kernel_modules.append('wkmr26.ko')
bad_kernel_modules.append('backd00r')
bad_kernel_modules.append('backdoor')
bad_kernel_modules.append('darkside')
bad_kernel_modules.append('nekit')
bad_kernel_modules.append('rpldev')
bad_kernel_modules.append('rpldev_mod')
bad_kernel_modules.append('spapem_core')
bad_kernel_modules.append('spapem_genr00t')
for file in files:
targs = (file, )
tm.startFunction( target=self._thread_read, args=targs, ownerObj=self )
tm.join( self )
kernel_modules = self.exec_payload('list_kernel_modules')
for module in bad_kernel_modules:
if module in kernel_modules:
self.result['bad_kernel_modules'].append(module)
return self.result
def _discover_worker(self, to_walk):
'''
This method will run discovery plugins in a loop until no new knowledge
(ie fuzzable requests) is found.
TODO: unit-test this method
@return: A list with the found fuzzable requests.
'''
om.out.debug('Called _discover_worker()' )
result = []
while to_walk:
# Progress stuff, do this inside the while loop, because the to_walk
# variable changes in each loop
amount_of_tests = len(self._w3af_core.plugins.plugins['discovery']) * len(to_walk)
self._w3af_core.progress.set_total_amount(amount_of_tests)
plugins_to_remove_list = []
fuzz_reqs = {}
for plugin in self._w3af_core.plugins.plugins['discovery']:
# Login is needed,
self._auth_login()
for fr in to_walk:
# Should I continue with the discovery phase? If not, return
# what I know for now and forget about all the remaining work
if self._should_stop_discovery(): return result
# Status reporting
status = self._w3af_core.status
status.set_running_plugin(plugin.getName())
status.set_current_fuzzable_request(fr)
try:
try:
# Perform the actual work
plugin_result = plugin.discover_wrapper(fr)
finally:
tm.join(plugin)
except KeyboardInterrupt:
om.out.information('The user interrupted the discovery phase, '
'continuing with audit.')
return result
except w3afException,e:
om.out.error(str(e))
except w3afRunOnce:
# Some plugins are meant to be run only once
# that is implemented by raising a w3afRunOnce
# exception
plugins_to_remove_list.append(plugin)
except Exception, e:
# Smart error handling, much better than just crashing.
# Doing this here and not with something similar to:
# sys.excepthook = handle_crash because we want to handle
# plugin exceptions in this way, and not framework
# exceptions
exec_info = sys.exc_info()
enabled_plugins = pprint_plugins(self._w3af_core)
exception_handler.handle( self._w3af_core.status, e ,
exec_info, enabled_plugins )
else:
# We don't trust plugins, i'll only work if this
# is a list or something else that is iterable
lst = fuzz_reqs.setdefault(plugin.getName(), [])
if hasattr(plugin_result, '__iter__'):
lst.extend(fr for fr in plugin_result)
# Finished one loop, inc!
self._w3af_core.progress.inc()
def getInboundPort( self, desiredProtocol='TCP' ):
'''
Performs the process
'''
if not self._forceReRun:
# Try to return the data from the kb !
remoteId = self._getRemoteId()
savedResults = kb.kb.getData('extrusionScanner', 'extrusions')
if remoteId in savedResults:
om.out.information('Reusing previous result from the knowledgeBase:' )
om.out.information('- Selecting port "'+ str(savedResults[ remoteId ]) + '" for inbound connections from the compromised server to w3af.' )
return savedResults[ remoteId ]
om.out.information('Please wait some seconds while w3af performs an extrusion scan.')
es = extrusionServer( self._tcpPortList, self._udpPortList )
if not es.canSniff():
raise w3afException( 'The user running w3af can\'t sniff on the specified interface. Hints: Are you root? Does this interface exist?' )
else:
# I can sniff, it makes sense to send the extrusion client
interpreter, remoteFilename = self._sendExtrusionClient()
tm.startFunction( target=es.sniffAndAnalyze, args=(), ownerObj=self, restrict=False )
# Let the sniffer start !
time.sleep(1)
self._execExtrusionClient( interpreter, remoteFilename )
tm.join( self )
res = es.getResult()
om.out.information('Finished extrusion scan.')
if res:
host = res[0][0]
om.out.information('The remote host: "' + host + '" can connect to w3af with these ports:')
port = None
portList = []
for x in res:
if x[0] == host:
port = x[1]
protocol = x[2]
om.out.information('- '+ str(port) + '/' + protocol )
portList.append( (port, protocol) )
localPorts = []
for port, protocol in portList:
if self.isAvailable( port, protocol ):
localPorts.append( (port, protocol) )
if not localPorts:
raise w3afException('All the inbound ports are in use.')
else:
om.out.information('The following ports are not bound to a local process and can be used by w3af:')
for lp, proto in localPorts:
om.out.information('- ' + str(lp) + '/' + proto )
# Selecting the highest port
if desiredProtocol.upper() == proto.upper():
port = lp
om.out.information('Selecting port "'+ str(port) + '/'+ proto +'" for inbound connections from the compromised server to w3af.' )
if not self._forceReRun:
om.out.debug('Saving information in the kb.')
savedResults = kb.kb.getData('extrusionScanner', 'extrusions' )
if savedResults:
savedResults[ remoteId ] = port
else:
savedResults = {}
savedResults[ remoteId ] = port
kb.kb.save('extrusionScanner', 'extrusions', savedResults )
return port
else:
raise w3afException( 'No inbound ports have been found. Maybe the extrusion scan failed ?' )