- Interesting use of debugfs.
- Finds that shutdown account was removed by intruder.
- Well done identification of intrusion method.
- Well done identifiation of intruder attack points.
- Did not do file checksum analysis or strings analysis of the
rootkit files, and does not find the rootkit config files.
- Recovers deleted messages file with debugfs and dd.
- Misses that /usr/man/.Ci/chmod-it has been executed.
- Misses the sshd password logging feature.
- Partial origin info for /usr/man/.Ci files.
- Finds sniffer, but misses sshd password logger (although
he does find the logfile). Also misses sshd universal password.
- Describes origins of /usr/man/.Ci files, but does not spot mix
of multiple rootkit versions.
- Builds summary timeline, but makes no comparison with clean
- Summary OK, but does not mention whether user data was
- Advisory discusses the vulnerability, not impact of specific
break-in, or how to detect that a system was compromised.
- Readability is OK.
- No checksum/strings/diassembly analysis,
so he misses the rootkit config files as well as the
sshd password logging feature, as well as any backdoors
in newly installed software.
- Good description of technique used; shows that debugfs
is a powerful program.
- Potentialy more explanation on how/what debugfs is used
for and what it tells us. Missed some of the technical
issues, such as encryption used in bot, /var/tmp/nap.
- Excellent readability, summary great overall review.
Extremelly well organized.
- Uses an interesting technique of using a shell script to check
MD5 checksums of partition images before mounting them, and to set
shell variables for later use. If generalized a bit more, this would
be a good front end for automating some steps in the forensic analysis
and reporting process.
- Also used "debugfs", alone and combined with "dd", for accessing
i-node information and contents, including recovery of deleted files.
Since "debugfs" is specific to Linux, this technique may not
generalize well to other flavors of Unix.
- Did the best job of identifying source locations for many of the
programs installed by the intruder. He also identified the rpc.statd
exploit from the IDS logged information by identifying the RPC service
number in the packet.