Threats Detected

Linux Threats Detected

Sandfly Security is proud to be part of the

Vodafone Xone Accelerator Program

Sandlfly hunts for the common and uncommon threats against Linux.

Sandfly focuses on the building blocks that make an attack work, not on static signatures. Instead of getting on a hamster wheel of constantly outdated signature updates, Sandfly hunts for specific indicators of compromise that are common with attacks that never go out of date. 

Hunting for Linux Threats

Sandfly Has a Large and Growing List of Threats it can Detect

Modular Intrusion Detection

Sandfly is an agentless Linux security bot constantly looking for threats. When threats are found on Linux hosts, Sandfly becomes an expert forensic investigator providing specific information on what is happening. 

The modular approach we use means that more sandfly bots are being added all the time to enhance our detection net. Sandfly is designed to look for these and many more threats on your Linux hosts without the need to load agents. 

We currently have over 500 security and incident response modules designed specifically for Linux and the list grows each day.

Below are two lists: The first giving an overview of Linux compromise and intrusion Sandfly can detect; The larger list showing a snapshot of specific threats detected by Sandfly. 

1: Overview of Linux compromise & intrusion threats detected

  • Loadable Kernel Module stealth rootkit detection
  • Standard rootkit detection
  • Cryptocurrency and cryptominer detection
  • Hidden and suspicious directories
  • Hidden and suspicious processes
  • Processes performing suspicious network activity
  • Process masquerading
  • File masquerading and hiding
  • Poisoned system commands
  • Cloaked data from stealth rootkits
  • Tampered system start-up scripts
  • Encrypted and suspicious executable files
  • Unusual system binaries
  • Suspicious users and permissions
  • Hidden executables
  • System shells being used or concealed in suspicious ways
  • Reverse bindshell exploits
  • Standard bindshell exploits
  • Tampered audit records
  • Destroyed audit records
  • User anti-forensic activity
  • Process anti-forensic activty
  • Cloaked backdoors
  • Privilege escalation backdoors
  • Malware persistence mechanisms
  • SSH keys being misused or orphaned
  • Suspicious user login and logout activities
  • Suspicious cron job and other scheduled tasks
  • Linux malware and Advanced Persistent Threat activity
  • Distributed Denial of Service (DDoS) agents
  • Hundreds of others!

2: Partial list of Linux compromise & intrusion threats detected

Directory

Sandfly_dirs_hidden_bin
Looks for hidden directories in /bin, /sbin, /usr/bin, and /usr/sbin.

Sandfly_dirs_hidden_dev
Looks for hidden directories in the /dev directory.

Sandfly_dirs_hidden_dev_shm
Looks for hidden directories in the /dev/shm directory

Sandfly_dirs_hidden_lib
Looks for hidden directories in /lib, /var/lib, etc.

Sandfly_dirs_hidden_suspicious_bin
Looks for hidden directory names that are extremely suspicious under /bin directories.

Sandfly_dirs_hidden_suspicious_dev
Looks for hidden directory names that are extremely suspicious under /dev directories.

Sandfly_dirs_hidden_suspicious_etc
Looks for hidden directory names that are extremely suspicious under /etc directories.

Sandfly_dirs_hidden_suspicious_lib
Looks for hidden directory names that are extremely suspicious under /lib directories.

Sandfly_dirs_hidden_suspicious_root
Looks for hidden directory names that are extremely suspicious under the / top-level directory.

Sandfly_dirs_hidden_suspicious_run
Looks for hidden directory names that are extremely suspicious under /run and /var/run directories.

Sandfly_dirs_hidden_suspicious_system
Looks for hidden directory names that are extremely suspicious under /boot, /sys, and /lost+found directories.

Sandfly_dirs_hidden_suspicious_tmp
Looks for hidden directory names that are extremely suspicious under /tmp directories.

Sandfly_dirs_hidden_suspicious_user_home_dir
Looks for hidden directory names that are extremely suspicious under a user’s home directory.

Sandfly_dirs_hidden_suspicious_usr_games
Looks for hidden directory names that are extremely suspicious under /usr/games and /usr/share/games directories.

Sandfly_dirs_hidden_suspicious_usr_include
Looks for hidden directory names that are extremely suspicious under /usr/include

Sandfly_dirs_hidden_suspicious_usr_local
Looks for hidden directory names that are extremely suspicious under /usr/local directories.

Sandfly_dirs_hidden_suspicious_usr_share
Looks for hidden directory names that are extremely suspicious under /usr/share directories.

Sandfly_dirs_hidden_suspicious_var
Looks for hidden directory names that are extremely suspicious under /var directories.

Sandfly_dirs_hidden_system
Looks for hidden directories in various system directories (/boot, /lost+found)

Sandfly_dirs_hidden_usr_games
Looks for hidden directories under /usr/games or /usr/share/games

Sandfly_dirs_hidden_usr_share_man
Looks for hidden directories under /usr/share/man

Sandfly_dirs_link_count_wrong_bin
Looks for an inconsistent link count for bin directories. This means there is a directory present, but it is being hidden from view likely by a stealth rootkit.

Sandfly_dirs_link_count_wrong_dev
Looks for an inconsistent link count for dev directories. This means there is a directory present, but it is being hidden from view likely by a stealth rootkit.

Sandfly_dirs_link_count_wrong_etc
Looks for an inconsistent link count for /etc. This means there is a directory present, but it is being hidden from view likely by a stealth rootkit.

Sandfly_dirs_link_count_wrong_lib
Looks for an inconsistent link count for top level system lib directories. This means there is a directory present, but it is being hidden from view likely by a stealth rootkit.

Sandfly_dirs_link_count_wrong_root
Looks for an inconsistent link count for the top level / directory. This means there is a directory present, but it is being hidden from view likely by a stealth rootkit.

Sandfly_dirs_link_count_wrong_system
Looks for an inconsistent link count for top level system directories. This means there is a directory present, but it is being hidden from view likely by a stealth rootkit.

Sandfly_dirs_link_count_wrong_usr
Looks for an inconsistent link count for the top level /usr directory. This means there is a directory present, but it is being hidden from view likely by a stealth rootkit.

Sandfly_dirs_link_count_wrong_usr_games
Looks for an inconsistent link count for /usr/games, /usr/share/games. This means there is a directory present, but it is being hidden from view likely by a stealth rootkit.

Sandfly_dirs_link_count_wrong_usr_local
Looks for an inconsistent link count for /usr/local. This means there is a directory present, but it is being hidden from view likely by a stealth rootkit.

Sandfly_dirs_link_count_wrong_usr_share
Looks for an inconsistent link count for /usr/share. This means there is a directory present, but it is being hidden from view likely by a stealth rootkit.

Sandfly_dirs_link_count_wrong_var
Looks for an inconsistent link count for the top level /var directory. This means there is a directory present, but it is being hidden from view likely by a stealth rootkit.

Process

Sandfly_process_backdoor_bindshell_generic
Looks for system shells operating as a reverse or standard bindshell backdoor.

Sandfly_process_backdoor_bindshell_netcat
Looks for netcat running as a reverse or standard bindshell backdoor on the system.

Sandfly_process_backdoor_bindshell_perl
Looks for perl scripts running as a reverse or standard bindshell backdoor on the system.

Sandfly_process_backdoor_bindshell_php
Looks for php scripts running as a reverse or standard bindshell backdoor on the system.

Sandfly_process_backdoor_bindshell_python
Looks for python scripts running as a reverse or standard bindshell backdoor on the system.

Sandfly_process_backdoor_bindshell_ruby
Looks for ruby scripts running as a reverse or standard bindshell backdoor on the system.

Sandfly_process_backdoor_bindshell_telnet
Looks for telnet running as a reverse or standard bindshell backdoor on the system.

Sandfly_process_deleted_listening_network_port
Looks for any process that is running with a listening network port, but has been deleted from the disk.

Sandfly_process_deleted_listening_raw_socket
Looks for any process that is running with a raw socket, but has been deleted from the disk.

Sandfly_process_deleted_outbound_network_port
Looks for process that is running with a connected outbound port, but has been deleted from the disk.

Sandfly_process_deleted_running
Looks for processes that are running, but the executable has been deleted from the disk.

Sandfly_process_history_anti_forensics
Checks any running process for signs that history file anti-forensics are in use.

Sandfly_process_listening_network_port_running_from_dev_dir
Looks for processes listening on a network port running out of dev directories.

Sandfly_process_listening_network_port_running_from_proc_dir
Looks for processes listening on a network port running out of the /proc directory.

Sandfly_process_listening_network_port_running_from_tmp_dir
Looks for processes listening on a network port running out of tmp directories.

Sandfly_process_masquerade_any
Looks for any process that is identical to another running process but has a different name.

Sandfly_process_masquerade_mixed_case
Looks for any process that is using mixed case in the name to masquerade as another process.

Sandfly_process_masquerade_netcat
Looks for a process that is really netcat, but is masquerading under a different name.

Sandfly_process_masquerade_shell
Looks for a process that is really a shell, but is masquerading under a different name.

Sandfly_process_masquerade_socat
Looks for a process that is really socat, but is masquerading under a different name.

Sandfly_process_masquerade_strace
Looks for a process that is really strace, but is masquerading under a different name.

Sandfly_process_masquerade_tcpdump
Looks for a process that is really tcpdump, but is masquerading under a different name.

Sandfly_process_module_hidden
Looks for loadable kernel modules that are hiding from view by a stealth rootkit.

Sandfly_process_pcap_file_open
Looks for processes running with a pcap packet capture file open on the disk operating as a sniffer.

Sandfly_process_persistence_at_job_malicious
Looks for scheduled at jobs that are suspicious or malicious.

Sandfly_process_persistence_cron_malicious
Looks for scheduled cron tasks that are suspicious or malicious.

Sandfly_process_running_dot_hidden
Looks for processes that are named as a Unix hidden file that are running (e.g. period as start of name)

Sandfly_process_running_from_dev_dir
Looks for processes that are running out of /dev.

Sandfly_process_running_from_hidden_bin_dir
Looks for processes that are running out of a hidden directory under a system binary directory.

Sandfly_process_running_from_hidden_dev_dir
Looks for processes that are running out of a hidden directory under the /dev directory.

Sandfly_process_running_from_hidden_etc_dir
Looks for processes that are running out of a hidden directory under the /etc directory.

Sandfly_process_running_from_hidden_lib_dir
Looks for processes that are running out of a hidden directory under a system library directory.

Sandfly_process_running_from_hidden_root_dir
Looks for processes that are running out of a hidden directory under the root (/) level directory.

Sandfly_process_running_from_hidden_run_dir
Looks for processes that are running out of a hidden directory under the /run directory.

Sandfly_process_running_from_hidden_system_dir
Looks for processes that are running out of a hidden directory under a system directory such as /boot, /lost+found or /sys.

Sandfly_process_running_from_hidden_tmp_dir
Looks for processes that are running out of a hidden directory under a system temp directory.

Sandfly_process_running_from_hidden_usr_dir
Looks for processes that are running out of a hidden directory under the /usr directory.

Sandfly_process_running_from_hidden_var_dir
Looks for processes that are running out of a hidden directory under the /var directory.

Sandfly_process_running_from_proc_dir
Looks for processes that are running out of /proc.

Sandfly_process_running_from_root_homedir
Looks for processes that are running out the root user’s home directory.

Sandfly_process_running_from_suspicious_dir
Looks for processes that are running from a suspiciously named directory.

Sandfly_process_running_from_system_dir
Looks for processes that are running out of /boot, /sys and /lost+found directories.

Sandfly_process_running_from_tmp_dir
Looks for processes that are running out of /tmp directories.

Sandfly_process_running_single_char
Looks for processes that are named as just one character which is commonly done with malware.

Sandfly_process_script_perl_in_dev_dir
Looks for perl scripts running out of dev directories.

Sandfly_process_script_perl_in_tmp_dir
Looks for perl scripts running out of tmp directories.

Sandfly_process_script_php_in_dev_dir
Looks for php scripts running out of dev directories.

Sandfly_process_script_php_in_tmp_dir
Looks for php scripts running out of tmp directories.

Sandfly_process_script_python_in_dev_dir
Looks for python scripts running out of dev directories.

Sandfly_process_script_python_in_tmp_dir
Looks for python scripts running out of tmp directories.

Sandfly_process_shell_history_anti_forensics
Checks running shell processes for signs that history file anti-forensics are in use.

Sandfly_process_strace_running
Looks for the strace command running on the remote host for an extended period.

Sandfly_process_strace_ssh_keylogger
Looks for the strace command being used as a keylogger against SSH.

Sandfly_process_suspicious_whitespace_as_name
Looks for processes with a whitespace as a name. This can conceal a malicious process name as one that looks legitimate.

Sandfly_process_suspicious_whitespace_in_name
Looks for processes with a whitespace at the beginning or end of a name. This can conceal a malicious process name as one that looks legitimate.

User

Sandfly_user_history_dev_null
Looks to see if the user’s history is linked to /dev/null which will conceal command history.

Sandfly_user_history_file_for_inactive_user
Looks for inactive accounts with a valid shell history file in their home directories indicating a login has happened.

Sandfly_user_homedir_dev_null
Checks if a user’s home directory is /dev/null which sometimes is done by attackers to conceal activity.

Sandfly_user_list_root_users_not_root
Lists root UID 0 users that are not named root which is done to hide superuser accounts.

Sandfly_user_no_password
Looks for any user with no password set.

Sandfly_user_scripts_history_anti_forensics
Checks user login and logout scripts for anti-forensic tactics to prevent logging their command history.

Sandfly_user_scripts_login_malicious
Checks user login scripts for malicious commands that can compromise the system.

Sandfly_user_ssh_authorized_keys_inactive_user
Looks for inactive accounts with valid ssh login keys in their home directory.

File

Sandfly_file_bin_false_shell
Looks to see if a system shell has been renamed to /bin/false to hide the fact that an account can login.

Sandfly_file_binary_encrypted_in_cron_dir
Looks if there is an encrypted or packed binary in system cron directories.

Sandfly_file_bin_false_shell
Looks to see if a system shell has been renamed to /bin/false to hide the fact that an account can login.

Sandfly_file_binary_encrypted_in_cron_dir
Looks if there is an encrypted or packed binary in system cron directories.

Sandfly_file_binary_encrypted_in_dev_dir
Looks if there is an encrypted or packed binary in system dev directories.

Sandfly_file_binary_encrypted_in_etc_dir
Looks if there is an encrypted or packed binary in system etc directories.

Sandfly_file_binary_encrypted_in_run_dir
Looks if there is an encrypted or packed binary in system run directories.

Sandfly_file_binary_encrypted_in_system_dir
Looks if there is an encrypted or packed binary in system /boot, /lost+found, and similar directories.

Sandfly_file_binary_encrypted_in_tmp_dir
Looks if there is an encrypted or packed binary in system temp directories.

Sandfly_file_binary_hidden_in_bin_dir
Looks for executable files hidden in system binary directories.

Sandfly_file_binary_hidden_in_dev_dir
Looks for executable files hidden in system /dev directory.

Sandfly_file_binary_hidden_in_etc_dir
Looks for executable files hidden in the /etc directory.

Sandfly_file_binary_hidden_in_lib_dir
Looks for executable files hidden in system lib directories.

Sandfly_file_binary_hidden_in_root_dir
Looks for executable files hidden in the top level directory.

Sandfly_file_binary_hidden_in_run_dir
Looks for executable files hidden in system /run directory.

Sandfly_file_binary_hidden_in_tmp_dir
Looks for executable files hidden in system temp directories.

Sandfly_file_binary_in_cron_dir
Looks for executable files in system cron directories.

Sandfly_file_binary_in_dev_dir
Looks for executable files in system /dev directory.

Sandfly_file_binary_in_etc_dir
Looks for executable files in system /etc directory.

Sandfly_file_binary_in_run_dir
Looks for executable files in system run directories.

Sandfly_file_binary_in_tmp_dir
Looks for executable files in system temp directories.

Sandfly_file_binary_masquerade_type_mismatch_in_dev_dir
Looks for Linux executables named as a common non-executable extension to masquerade their presence in a system device directory.

Sandfly_file_binary_masquerade_type_mismatch_in_etc_dir
Looks for Linux executables named as a common non-executable extension to masquerade their presence in the /etc directory.

Sandfly_file_binary_masquerade_type_mismatch_in_lib_dir
Looks for Linux executables named as a common non-executable extension to masquerade their presence in a system library directory.

Sandfly_file_binary_masquerade_type_mismatch_in_root_dir
Looks for Linux executables named as a common non-executable extension to masquerade their presence in the top level root directory.

Sandfly_file_binary_masquerade_type_mismatch_in_run_dir
Looks for Linux executables named as a common non-executable extension to masquerade their presence in the /run directory.

Sandfly_file_binary_masquerade_type_mismatch_in_system_dir
Looks for Linux executables named as a common non-executable extension to masquerade their presence in the /boot or /lost+found directories.

Sandfly_file_binary_masquerade_type_mismatch_in_tmp_dir
Looks for Linux executables named as a common non-executable extension to masquerade their presence in a system temp directory.

Sandfly_file_binary_system_in_dev_dir
Looks to see if a system binary is in /dev where it shouldn’t be.

Sandfly_file_binary_system_in_etc_dir
Looks to see if a system binary is in /etc where it shouldn’t be.

Sandfly_file_binary_system_in_root_dir
Looks to see if a system binary is in the top level directory where it shouldn’t be.

Sandfly_file_binary_system_in_run_dir
Looks to see if a system binary is in /run or /var/run where it shouldn’t be.

Sandfly_file_binary_system_in_system_dir
Looks to see if a system binary is in a system dir like /boot, /lost+found, and similar where it shouldn’t be.

Sandfly_file_binary_system_in_tmp_dir
Looks to see if a system binary is in /tmp where it shouldn’t be.

Sandfly_file_binary_system_in_usr_games_dir
Looks to see if a system binary is in /usr/games or /usr/share/games where it shouldn’t be.

Sandfly_file_binary_system_in_usr_share_man_dir
Looks to see if a system binary is in /usr/share/man where it shouldn’t be.

Sandfly_file_binary_system_in_var_dir
Looks to see if a system binary is in /var where it shouldn’t be.

Sandfly_file_binary_system_link_in_dev_dir
Looks to see if a system binary is linked from dev directories.

Sandfly_file_binary_system_link_in_tmp_dir
Looks to see if a system binary is linked from temp directories.

Sandfly_file_binary_system_poisoned
Looks for system commands that have been poisoned to run malicious code when executed.

Sandfly_file_binary_system_renamed_hidden
Looks to see if a system binary has been renamed to a hidden file that still resides in system bin directories.

Sandfly_file_modules_size_mismatch
Looks for loadable kernel module config files that are being altered by a stealth rootkit to hide entries.

Sandfly_file_pcap_in_bin_dir
Looks for packet capture pcap files in the system binary directories.

Sandfly_file_pcap_in_cron_dir
Looks for packet capture pcap files in the system cron directories.

Sandfly_file_pcap_in_dev_dir
Looks for packet capture pcap files in the /dev directory.

Sandfly_file_pcap_in_etc_dir
Looks for packet capture pcap files in the system /etc directory.

Sandfly_file_pcap_in_lib_dir
Looks for packet capture pcap files in the system library directories.

Sandfly_file_pcap_in_root_dir
Looks for packet capture pcap files in the top-level system root directory.

Sandfly_file_pcap_in_run_dir
Looks for packet capture pcap files in the system run directories.

Sandfly_file_pcap_in_tmp_dir
Looks for packet capture pcap files in the system temp directories.

Sandfly_file_pcap_in_var_dir
Looks for packet capture pcap files in the system /var directories.

Sandfly_file_rootkit_generic
Looks for a variety of common Linux rootkit files and directories present on a system.

Sandfly_file_sbin_nologin_shell
Looks to see if a system shell has been renamed to /sbin/nologin or /usr/sbin/nologin to hide the fact that an account can login.

Sandfly_file_shell_renamed_bin_dir
Looks to see if a system shell has been renamed to something else and put in the system binary directories.

Sandfly_file_startup_script_cloaked
Looks for common start-up scripts that have cloaked entries from a stealth rootkit.

Sandfly_file_suid_root_binary_in_dev_dir
Looks to see if a SUID root binary is present in /dev directories.

Sandfly_file_suid_root_binary_in_etc_dir
Looks to see if a SUID root binary is present in /etc directories.

Sandfly_file_suid_root_binary_in_run_dir
Looks to see if a SUID root binary is present in /run directories.

Sandfly_file_suid_root_binary_in_system_dir
Looks to see if a SUID root binary is present in /boot, /sys and /lost+found.

Sandfly_file_suid_root_binary_in_tmp_dir
Looks to see if a SUID root binary is present in /tmp directories.

Sandfly_file_suid_root_binary_in_usr_games_dir
Looks to see if a SUID root binary is present in /usr/games or /usr/share/games directories.

Sandfly_file_suid_root_binary_in_usr_share_dir
Looks to see if a SUID root binary is present in /usr/share directories.

Sandfly_file_suid_root_binary_in_usr_share_man_dir
Looks to see if a SUID root binary is present in /usr/share/man directories.

Sandfly_file_suid_sgid_editor
Looks to see if a common system editor like vi or nano is set SUID or SGID for any user to enable privilege escalation.

Sandfly_file_suid_sgid_shell
Looks to see if a common system shells have been SUID or SGID to any user.

Sandfly_file_suspicious_named_pipe_in_bin_dir
Looks for suspicious named pipe device files under system binary directories. This is common with some kinds of backdoors.

Sandfly_file_suspicious_named_pipe_in_dev_dir
Looks for suspicious named pipe device files under /dev directories. This is common with some kinds of backdoors.

Sandfly_file_suspicious_named_pipe_in_etc_dir
Looks for suspicious named pipe device files under /etc directories. This is common with some kinds of backdoors.

Sandfly_file_suspicious_named_pipe_in_lib_dir
Looks for suspicious named pipe device files system library directories. This is common with some kinds of backdoors.

Sandfly_file_suspicious_named_pipe_in_run_dir
Looks for suspicious named pipe device files under /run directories. This is common with some kinds of backdoors.

Sandfly_file_suspicious_named_pipe_in_system_dir
Looks for suspicious named pipe device in system directories /boot, /sys and /lost+found. This is common with some kinds of backdoors.

Sandfly_file_suspicious_named_pipe_in_tmp_dir
Looks for suspicious named pipe device files in /tmp. This is common with some kinds of backdoors.

Sandfly_file_suspicious_run_pid_binary
Looks for process PID files that are really binary executable files in disguise.

Sandfly_file_suspicious_run_pid_encrypted
Looks for process PID files that appear to be encrypted data and not process information.

Sandfly_file_suspicious_run_pid_not_integer
Looks for process PID files that contain more than just a standard integer value.

Sandfly_file_suspicious_run_pid_too_big
Looks for process PID files that are too big to contain only running process data.

Incident

Sandfly_dirs_hidden_suspicious_anywhere
Looks for hidden directory names that are extremely suspicious anywhere on the file system.

Sandfly_dirs_link_count_wrong_anywhere
Looks for an inconsistent link count anywhere on the file system. This means there is a directory present, but it is being hidden from view likely by a stealth rootkit.

Sandfly_file_binary_encrypted_anywhere
Looks if there is an encrypted or packed binary anywhere on the file system.

Sandfly_file_binary_hidden_anywhere
Looks for executable files hidden anywhere on the file system.

Sandfly_file_binary_masquerade_type_mismatch_anywhere
Looks for Linux executables named as a common non-executable extension to masquerade their presence anywhere on the file system.

Sandfly_file_masquerade_type_mismatch_anywhere
Looks for common files masquerading as one type when they are really another type anywhere on the file system.

Sandfly_file_pcap_anywhere
Looks for packet capture pcap files anywhere on the file system.

Sandfly_file_pcap_hidden_anywhere
Looks for hidden packet capture pcap files anywhere on the file system.

Sandfly_file_shell_renamed_anywhere
Looks to see if a system shell has been renamed to something else and put anywhere on the file system.

Sandfly_file_suid_sgid_binary_anywhere
This sandfly will look for all SUID or SGID for any user binaries on the disk

Sandfly_file_suid_sgid_root_binary_anywhere
This sandfly will look for all SUID or SGID root binaries on the disk

Sandfly_os_identify
This sandfly returns remote OS version information.

Sandfly_process_listening_raw_socket
Looks for any process that is running with a raw socket listening. This could be a backdoor or other malicious program.

Sandfly_process_listening_raw_socket_icmp
This sandfly looks for any process that is running with raw sockets listening for ICMP packets. This could be a sniffer or backdoor.

Sandfly_process_listening_raw_socket_tcp
This sandfly looks for any process that is running with raw sockets listening for TCP packets. This could be a sniffer or backdoor.

Sandfly_process_listening_raw_socket_udp
This sandfly looks for any process that is running with raw sockets listening for UDP packets. This could be a sniffer or backdoor.

Sandfly_process_listening_raw_socket_unknown_protocol
This sandfly looks for any process that is running with raw sockets listening for unknown protocols. This could be a sniffer or backdoor.

Sandfly_process_running_from_hidden_dir_anywhere
Looks for processes that are running out of a hidden directory anywhere in their path.

Log

Sandfly_log_tampering_btmp_zeroed_record
Looks for evidence that user entries were zeroed out from the btmp file to hide login activity.

Sandfly_log_tampering_dropper_in_tmp_dir
Looks for log cleaning dropper files left behind in /tmp.

Sandfly_log_tampering_lastlog_wtmp_missing_record

Compares lastlog entries against wtmp entries to see if any have been removed to conceal login activity.

Sandfly_log_tampering_mig
Looks for signs the MIG logcleaning tool has been run on the host.

Sandfly_log_tampering_sloppy
Looks for sloppy log tampering such as deleting system logs and replacing with files 0 bytes long.

Sandfly_log_tampering_utmp_zeroed_record

Looks for evidence that user entries were zeroed out from the utmp file to hide login activity.

Sandfly_log_tampering_wtmp_lastlog_zero_size
Looks to see if the system wtmp and lastlog audit records have been erased and made zero bytes long

Sandfly_log_tampering_wtmp_utmp_lastlog_missing
Looks to see if the system wtmp, utmp, and lastlog files are missing. Deleting these files disables login accounting on the system to hide activity.

Sandfly_log_tampering_wtmp_zeroed_record
Looks for evidence that user entries were zeroed out from the wtmp file to hide login activity.

An Expanding Detection Net

Sandfly is constantly looking for anything that is suspicious on your Linux hosts. With new sandflies being added all the time, Sandfly is able to provide a thorough detection net for your computers without the hassle of agents or piles of false alarms.