brian

• Interesting use of debugfs.

• Finds that shutdown account was removed by intruder.

• Well done identification of intrusion method.

• Well done identifiation of intruder attack points.

• Did not do file checksum analysis or strings analysis of the rootkit files, and does not find the rootkit config files.

• Recovers deleted messages file with debugfs and dd.

• Misses that /usr/man/.Ci/chmod-it has been executed.

• Misses the sshd password logging feature.

• Partial origin info for /usr/man/.Ci files.

• Finds sniffer, but misses sshd password logger (although he does find the logfile). Also misses sshd universal password.

• Describes origins of /usr/man/.Ci files, but does not spot mix of multiple rootkit versions.

• Builds summary timeline, but makes no comparison with clean system.

• Summary OK, but does not mention whether user data was exposed.

• Advisory discusses the vulnerability, not impact of specific break-in, or how to detect that a system was compromised.

• Readability is OK.

• No checksum/strings/diassembly analysis, so he misses the rootkit config files as well as the sshd password logging feature, as well as any backdoors in newly installed software.

• Good description of technique used; shows that debugfs is a powerful program.

• Potentialy more explanation on how/what debugfs is used for and what it tells us. Missed some of the technical issues, such as encryption used in bot, /var/tmp/nap.

• Excellent readability, summary great overall review. Extremelly well organized.

• Uses an interesting technique of using a shell script to check MD5 checksums of partition images before mounting them, and to set shell variables for later use. If generalized a bit more, this would be a good front end for automating some steps in the forensic analysis and reporting process.

• Also used "debugfs", alone and combined with "dd", for accessing i-node information and contents, including recovery of deleted files. Since "debugfs" is specific to Linux, this technique may not generalize well to other flavors of Unix.

• Did the best job of identifying source locations for many of the programs installed by the intruder. He also identified the rpc.statd exploit from the IDS logged information by identifying the RPC service number in the packet.