- This investigation shows a lot of good generic technique.
Searches the file system in a very systematic manner,
looking for passwd-like data, name=value environment
information, dumping lastlog file, directory-only listing,
- Decompiled backdoored identd.
- Fakelib, for running binaries in controlled environment.
- MD5 checks of installed files.
- Difference of ssh source against original, autoconfiged and
- Good analysis.
- Recoginized different rootkits mixed.
- Excellent timeline.
- Excellent management report.
- Advisory includes good summary of events, excellent signature of how
to detect compromise, hints and tips, and references. Even includes
missing shutdown command.
- Analysis is excellent. Does not have dcat, but figures it all out,
and even gets process environment and lost logging from swap.
- Excellent demo of how to recover lost information
with strings/grep from swap and raw disk. Fine demo
of how to run a DDOS tool in a shared lib sandbox.
- Outstanding readability, giving 2 bonus points!
Very easy to read, excellent format to learn from.
- Notes that the rootkit elements actually come from different
Linux Rootkit distributions (4 and 5).
- Identifies the version of "named" to be one relased immediately
after a CERT advisory about a BIND vulnerability, and postulates that
the binary was created by email@example.com as a result of a
compromise of that system. (Could this person have actually created
this version as a result of intrusions himself? Thomas did not know
about the OZ rootkit, as identified by Addam
Schroll and Andy Polyakov, which may support
the latter conclusion.)
- Found some very interesting things in swap space by searching for
environment strings. This includes instances of processes run from
the account "adm1", including "/bin/su", "/usr/local/sbin/sshd", and
"/usr/sbin/named". He also found a copy of Lance's shell running
"nc" to copy the images off-system while the system was running! (Good
- Used a clever shell "for" loop to recover all non-zero deleted
i-nodes, and examined them. He found the source distribution for the
sshd installed by the intruder, and through difference analysis
found the same backdoor and logging features I had found. He even
confirmed the backdoor password that was found in /usr/tmp/nap.
Strings compiled into the sshd ("/dev/.oz/.nap/rkit/terror") show it,
too, is part of the OZ rootkit.
- Did the best job of showing adjusted times in his timeline
to match what was stated to be the reference time in CST. (This would
aid tremendously when comparing this incident with other related
- Did a very thorough job of providing second sources of
evidence to support theories, e.g., the use of "su" to become
the "drosen" user.
- Very impressive use of fake system calls in a shared
object library (fake.so) to analyze the output of a DoS attack tool.
This has some very interesting possibilities that I hadn't thought of
before for analyzing DoS and DDoS programs! (Mua-ha-ha-ha!! ;)