andy
- Notes the downgrade of packages from RH 6.2 to 6.0 levels,
including an explanation of why in.telnetd is on the system.
- Identifies the string "root@zagnut.goobe.net:/dev/.oz/src/bin/named"
in the /usr/local/sbin/named binary.
- Determined the in.identd trojan would not work.
- Makes the (incorrect) assertion that "drosen" may have been
installed by the intruder, but does not provide evidence to support
this theory.
- Excellent use of rpm, very igenious!
- Missed alot by not recovering deleted files (such
as eggdrop).
- Use of i-node data would have allowed a better reconstruction of
the step by step progression of the blackhat.