david

• Had trouble reading their evidence.txt/html file.

• Did not recover the rootkit install script.

• Detected the missing shutdown account.

• Found sshd universal passwd.

• Found sshd password logging.

• Do recover a variety of files from free space.

• Do recover sysadmin netcat command from swap.

• Indentification of attack method was OK, files/Q1_intrusion_method.txt has deleted logging and exploit source code from the web, CERT advisory, Red Hat advisory.

• Indentification of attacking sites OK, files/Q2_intruder.txt has the attacker IP addresses, nslookup and whois info

• The analysis of files installed by the intruder (files/Q3_file_analysis.txt) is OK. No decompilation, but they find the rootkit config file names for hiding processes etc, files that differ with generic RedHat 6.2, files that do not exist with generic RedHat 6.2, missing files.

• A single-pass analysis was done, so presentation is chaotic.

• The advisory does not mention whether user files were affected.

• In the advisory, "detection" references to generic CERT/CC document rather than mentioning key signatures, and "prevention" does not mention specific patch files.

• The evidence file is hard to read, even in HTML.

• The evidence document is terrible, and some other documents also have infinitely long lines.

• Had they done a second pass over the evidence, their observations would be more solid. Technically they do a decent job, but the presentation is terrible.

• They use standard Unix tools, or don't explain tool use.

• They did a unique thing in producing an HTML version of the evidence file (with timeline implicit in timestamp ordering). This allows you to drill down to file contents as you go, but is an unwieldy format that makes printing nearly impossible (or at least impractical). It would have been better to use this simply as a tool for analysis and not try to use for explanation.

• They point out hypotheses as they go, but in many cases leave the questions unanswered, or do not think through them fully.

• Love the use of chkroot and building another box for comparison!

• Nice attempt on analyzing 172.16.1.x systems, but did not realize these are RFC 1918.
• Difficult to read, as a great deal of data is in the evidence.txt file, but hard to obtain the analysis, even with .html file.