mig/actions/linux-backdoor.json

{
    "name": "Linux backdoor, found on compromised host in 2014",
    "description": {
        "author": "Julien Vehent",
        "email": "julien@linuxwall.info",
        "revision": 201409031800
    },
    "target": "queueloc like 'linux.%'",
    "threat": {
        "level": "alert",
        "type": "system",
        "family": "backdoor"
    },
    "operations": [
        {
            "module": "file",
            "parameters": {
                "searches": {
                    "backdoors": {
                        "paths": [
                            "/usr/bin/*",
                            "/usr/sbin/*",
                            "/bin/*",
                            "/sbin/*",
                            "/opt/*",
                            "/tmp/*"
                        ],
                        "sha2": [
                            "adbee847c12c73605ff657e668c8096df138f824eb542027a10c0b5c07619c8d",
                            "7c9816b5f1b840eb8c5ecfc0fed29972877ca5bd909469d03f26d3b8f837043d",
                            "3efee976d6565edd1492aa1047ffa10be6025de18206f6c68f91dd218801778f",
                            "4735f97b31ddb8a1bbc61e8d66b4dbc08d8092142d8ae7564f9058e0a20bbbb6",
                            "89a400077d74d1d76103180f41f40de6bcfffc89de461f497eef2ea763a68d73",
                            "adbee847c12c73605ff657e668c8096df138f824eb542027a10c0b5c07619c8d",
                            "939cc74b5343bde1a17dfa270f8e6dc719a4bc6b3143f4581b401c81fd9a110d",
                            "89b68f8ea6a32d525fbf491878980180ffa395b042ea3104b11da229bade71db",
                            "39823089fa324ceba00d5939d2e7b308fec28ee0f16c6caa4739a53ad6ecee64",
                            "72a44f3e7c4d9c9b72b1bda77d687346447d8e398983965b8e690eeeadebdc76",
                            "dbe7fc18667cd75317d494ed3b32cfe3cd077c870d015dc18b406a4a39747f55",
                            "903c13171c7467271fd79244ad8281ded9f51e3cf27c3399b42a175c53806a99",
                            "81dac9c6dc5e4ed615d496aea74fddc85925b00a6a54ddcbb90603c1469ce04c",
                            "fd702be65b1d3abed4c0197854c0c777a2bb50632932e1e389129b19b14a1e69",
                            "72589dd25b491ed53670bc7d04f4874075fc7d16361fc295c31fc86118d84cbd",
                            "6114624bf5d7e29f738f939bcc2bc794de9bf377a571fe1e84ae9159794308cf",
                            "467f34eee9d133653467a60ab0fe938d7c26918465a2ac938d2ffc6f2525b1ff",
                            "1e2699ff1f9238c58390c1ada53f4f21032ca5e0946bfb54a5a144452e6efc82",
                            "286c39ec3d8e4f15f353dca350ca7575e0269dba808206f3ce8d1a3ea142b353",
                            "fc48883e129225dc8fc9e340a495fbd834c97f5ff7fa70ab6089ec216a465328",
                            "5cba4433237e2ff202a5b20aad00a12d25bfc5564c3620a9463767eec2150cc1"
                        ]
                    }
                }
            }
        }
    ],
    "syntaxversion": 2
}