addam

• Includes motives with intruder identification.

• Recovers passwd & shadow files, deleted messages file.

• Methodical search for of strings, symbols.

• Does not detect the missing shutdown account.

• Does not recognize different rootkit versions.

• Identified rootkit, but no analysis of programs and does not recognize different rootkit versions.

• The summary is a bit on the technical side. The text does not state whether other local systems were affected or whether user information was affected (files/passwords).

• The advisory:
  • The "Signs of Intrusion" section gives very little useful information, other than the presence of the /usr/man/.Ci files.
  • Killing inetd is not part of the attack signature. The "exit status 1" warnings are not related to inetd itself, but to inetd child processes.
  • Quoting from a deleted logfile is not very useful.
  • The "impact" section does not go beyond the initial statd exploit; no mention of sniffer/password collection tools.
• Misses a few things, but he does a good effort with his systematic analsys of strings, pathnames, symbols.

• Extremelly easy to read and understand. Excellent use of whitespace.

• Potentially more indepth technical analysis (such as eggdrop using encryption).

• Identified the rootkit as originating from a comp.os.linux.security newsgroup posting, dubbed the "OZ rootkit"
• The compilation path found by "strings" ("/dev/.oz/.nap/rkit/terror") matches that described in the newgroup posting. This associates the strings "oz" and "nap". "nap" also shows up in paths, or withing embedded strings, of many files found on apollo. This strongly suggests he is correct that this is an OZ rootkit installation.

• The use of the RPM database to show the times that several packages were replaced/installed by the intruder yields a lot of useful information.

• Thinks the BIND programs may be backdoors, but doesn't show anything to substantiate that.

• His condensed system timeline is very nice. This is especially important for law enforcement purposes in providing background on evidence that would show probable cause for search warrants and court orders. (Peter also does something similar, with a little more detail per item.)