david
- Had trouble reading their evidence.txt/html file.
- Did not recover the rootkit install script.
- Detected the missing shutdown account.
- Found sshd universal passwd.
- Found sshd password logging.
- Do recover a variety of files from free space.
- Do recover sysadmin netcat command from swap.
- Indentification of attack method was OK,
files/Q1_intrusion_method.txt has deleted logging and exploit source
code from the web, CERT advisory, Red Hat advisory.
- Indentification of attacking sites OK, files/Q2_intruder.txt has
the attacker IP addresses, nslookup and whois info
- The analysis of files installed by the intruder
(files/Q3_file_analysis.txt) is OK. No decompilation, but
they find the rootkit config file names for hiding processes
etc, files that differ with generic RedHat 6.2, files that
do not exist with generic RedHat 6.2, missing files.
- A single-pass analysis was done, so presentation is chaotic.
- The advisory does not mention whether user files were affected.
- In the advisory, "detection" references to generic CERT/CC
document rather than mentioning key signatures, and "prevention"
does not mention specific patch files.
- The evidence file is hard to read, even in HTML.
- The evidence document is terrible, and some other documents
also have infinitely long lines.
- Had they done a second pass over the evidence, their
observations would be more solid. Technically they
do a decent job, but the presentation is terrible.
- They use standard Unix tools, or don't explain tool use.
- They did a unique thing in producing an HTML version of the
evidence file (with timeline implicit in timestamp ordering).
This allows you to drill down to file contents as you go, but is
an unwieldy format that makes printing nearly impossible (or at least
impractical). It would have been better to use this simply as a tool
for analysis and not try to use for explanation.
- They point out hypotheses as they go, but in many cases leave
the questions unanswered, or do not think through them fully.
- Love the use of chkroot and building another box for
comparison!
- Nice attempt on analyzing 172.16.1.x systems, but did
not realize these are RFC 1918.
- Difficult to read, as a great deal of data is in the
evidence.txt file, but hard to obtain the analysis,
even with .html file.