andy

• Notes the downgrade of packages from RH 6.2 to 6.0 levels, including an explanation of why in.telnetd is on the system.

• Identifies the string "root@zagnut.goobe.net:/dev/.oz/src/bin/named" in the /usr/local/sbin/named binary.

• Determined the in.identd trojan would not work.

• Makes the (incorrect) assertion that "drosen" may have been installed by the intruder, but does not provide evidence to support this theory.

• Excellent use of rpm, very igenious!

• Missed alot by not recovering deleted files (such as eggdrop).

• Use of i-node data would have allowed a better reconstruction of the step by step progression of the blackhat.