- Includes motives with intruder identification.
- Recovers passwd & shadow files, deleted messages file.
- Methodical search for of strings, symbols.
- Does not detect the missing shutdown account.
- Does not recognize different rootkit versions.
- Identified rootkit, but no analysis of programs and does not
recognize different rootkit versions.
- The summary is a bit on the technical side. The text does not state
whether other local systems were affected or whether user information
was affected (files/passwords).
- The advisory:
- The "Signs of Intrusion" section gives very little useful
information, other than the presence of the /usr/man/.Ci
- Killing inetd is not part of the attack signature. The
"exit status 1" warnings are not related to inetd itself,
but to inetd child processes.
- Quoting from a deleted logfile is not very useful.
- The "impact" section does not go beyond the initial statd
exploit; no mention of sniffer/password collection tools.
- Misses a few things, but he does a good effort
with his systematic analsys of strings, pathnames, symbols.
- Extremelly easy to read and understand. Excellent use of
- Potentially more indepth technical analysis (such as eggdrop using
- Identified the rootkit as originating from a comp.os.linux.security
newsgroup posting, dubbed the "OZ rootkit"
- The compilation path found by "strings"
("/dev/.oz/.nap/rkit/terror") matches that described in the newgroup
posting. This associates the strings "oz" and "nap". "nap" also
shows up in paths, or withing embedded strings, of many files found on
apollo. This strongly suggests he is correct that this is an OZ
- The use of the RPM database to show the times that several
packages were replaced/installed by the intruder yields a lot
of useful information.
- Thinks the BIND programs may be backdoors, but doesn't show
anything to substantiate that.
- His condensed system timeline is very nice. This is especially
important for law enforcement purposes in providing background on
evidence that would show probable cause for search warrants and court
orders. (Peter also does something similar,
with a little more detail per item.)