thd(1)

CyberSoft VFind Security Toolkit

thd(1)

NAME

thd - Trojan Horse Detector

SYNOPSIS

thd

[-c, --copyright] [-h, -?, --help] [-v, --version]

thd

[-a alarmfile, --alarmfile alarmfile] [-i ignorefile, --ignorefile ignorefile] [-id, --ignore-dotfiles] [-nr, --no-report]

DESCRIPTION

CyberSoft, Inc.'s Trojan Horse Detector is part of the VFind Security ToolKit. thd is used to detect trojan horse files. It does this by analyzing the basenames (i.e., file names not including any directory part) of full path names that it reads from standard input. It's general enough to be used for many other system analysis/administration purposes as well.

thd reads a list of file names (one per line) from its standard input and generates a report to standard output that lists all files with identical basenames.

If an alarmfile is provided, it should be a text file with file names (one per line) to watch for (e.g., 'ls'). Files with the same basename as one listed in the alarmfile will be listed in the report.

If an ignorefile is provided, it should be a text file with basenames to ignore when checking for duplicate file names (e.g., 'README').

OPTIONS

-c, --copyright

Display copyright information and then exit. All other options will be ignored.

-h, -?, --help

Display usage message and then exit. All other options will be ignored.

-v, --version

Display version information and then exit. All other options will be ignored.

-a alarmfile, --alarmfile alarmfile

Tells thd to read filenames from alarmfile. Alarmfile is a text file that contains filenames (one per line) that will be included in the report when found on the system.

-i ignorefile, --ignorefile ignorefile

Tells thd to read filenames from ignorefile. Ignorefile is a text file that contains filenames (one per line) that will be ignored when duplicates are found on the filesystem. These files will not appear in the report.

-id, --ignore-dotfiles

Ignore all files beginning with a '.' and do not report them as duplicates.

-nr, --no-report

Do not generate a report.

USAGE

INPUT

thd takes input from stdin. We suggest that you use the UNIX find(1) command to feed a list of files to thd.

Example:

  find / -type f -print | \
    thd --ignore-dotfiles -a myalarms -i myignores

OUTPUT

thd's output is very uniform. It will be in this form:

(alarm | dup):<set_number>:<instance_number>:<filename>

The numbers start at 0. An example output, assuming the use of an alarms file containing 'sendmail', might be as follows:

    dup:0:0:/bin/ls
    dup:0:1:/usr/bin/ls
    dup:1:0:/bin/cat
    dup:1:1:/usr/bin/cat
    alarm:0:0:/home/foo/sendmail
    alarm:0:1:/home/bar/sendmail

The above example shows that two suspect files were found, as indicated by the 'alarm' lines. Also note that two sets of two files each with the same basename were discovered in two different directories as indicated by the 'dup' lines. The regularity of this output makes it suitable for input to other programs.

FILES

thd.srt, thd.tmp

SEE ALSO

vfind(1), cit(1), bhead(1), jdis(1), uad(1), find(1).

BUGS

Please report all bugs to support@cyber.com. Make sure to include the version of thd, the platform and OS, the script or command used, the complete output showing the bug, a short description of the problem, and contact information.

COPYRIGHT

© 1996-2002 by CyberSoft, Inc. All rights reserved.