mig/examples/actions/sshd_backdoor.json

{
    "name": "Verify SSHD signature against Backdoor:Linux/SSHDoor.A",
    "description": {
        "author": "Julien Vehent",
        "email": "jvehent@mozilla.com",
        "url": "http://blog.sucuri.net/2013/02/linux-based-sshd-rootkit-floating-the-interwebs.html",
        "revision": 201402071130
    },
    "target": "linux",
    "threat": {
        "level": "alert",
        "family": "backdoor"
    },
    "operations": [
        {
            "module": "filechecker",
            "parameters": {
                "/usr/sbin/": {
                    "sha256": {
                        "look for backdoored sshd in entire sbin directory": [
                            "ebfd9354ed83635ed38bd117b375903f9984a18780ef86dbf7a642fc6584271c"
                        ]
                    }
                }
            }
        }
    ],
    "syntaxversion": 1
}