"October 2000"
"CyberSoft, Inc."
"VFind Security Toolkit"
NAME thd \- Trojan Horse Detector
thd
"[ " "-c" ", " "--copyright" " ] [ "
"-h" ", " "-?" ", "
"--help" " ] [ " "-v" ", " "--version" " ]"
thd [ \ -a \alarmfile\, \--alarmfile \alarmfile\ ] [ \-i \ignorefile\, \--ignorefile \ignorefile\ ] [ \-id\, \--ignore-dotfiles\ ] [ \-nr\, \--no-report\ ]
CyberSoft, Inc.'s Trojan Horse Detector is part of the
"VFind Security ToolKit" ". Thd is used to detect trojan horse files. It does this by analyzing the basenames (i.e., file names not including any directory part) of full path names that it reads from standard input. It's general enough to be used for many other system analysis/administration purposes as well. Thd reads a list of file names (one per line) from its standard input and generates a report to standard output that lists all files with identical basenames. If an alarmfile is provided, it should be a text file with file names (one per line) to watch for (e.g., 'ls'). Files with the same basename as one listed in the alarmfile will be listed in the report. If an ignorefile is provided, it should be a text file with basenames to ignore when checking for duplicate file names (e.g., 'README').
"-c" ", " "--copyright" Display copyright information and then exit. All other options will be ignored.
"-h" ", " "-?" ", " "--help" Display usage message and then exit. All other options will be ignored.
"-v" ", " "--version" Display version information and then exit. All other options will be ignored.
\-a \alarmfile\, \--alarmfile \alarmfile Tells thd to read filenames from \alarmfile\. Alarmfile is a text file that contains filenames (one per line) that will be included in the report when found on the system.
\-i \ignorefile\, \--ignorefile \ignorefile Tells thd to read filenames from \ignorefile\. Ignorefile is a text file that contains filenames (one per line) that will be ignored when duplicates are found on the filesystem. These files will not appear in the report.
"-id" ", " "--ignore-dotfiles" Ignore all files beginning with a '.' and do not report them as duplicates.
"-nr" ", " "--no-report" Do not generate a report.
INPUT thd takes input from stdin. We suggest that you use the UNIX find(1) command to feed a list of files to thd. .B Example:
find / -type f -print | \ thd --ignore-dotfiles -a myalarms -i myignores
"thd" "'s output is very uniform. It will be in this form:"
(alarm | dup):: :
The numbers start at 0. An example output, assuming the use of an alarms file containing 'sendmail', might be as follows:
dup:0:0:/bin/ls
dup:0:1:/usr/bin/ls
dup:1:0:/bin/cat
dup:1:1:/usr/bin/cat
alarm:0:0:/home/foo/sendmail
alarm:0:1:/home/bar/sendmail
The above example shows that two suspect files were found, as indicated by the 'alarm' lines. Also note that two sets of two files each with the same basename were discovered in two different directories as indicated by the 'dup' lines. The regularity of this output makes it suitable for input to other programs.
thd.srt, thd.tmp
"SEE ALSO"
"vfind" "(1), " "cit" "(1), "
"bhead" "(1), " "jdis" "(1), "
"uad" "(1), " "find" "(1)."
BUGS Please report all bugs to"support@cyber.com" "." Make sure to include the version of thd, the platform and OS, the script or command used, the complete output showing the bug, a short description of the problem, and contact information.
COPYRIGHT Copyright 1996-2000 by CyberSoft, Inc. All rights reserved.