roessler

• This investigation shows a lot of good generic technique. Searches the file system in a very systematic manner, looking for passwd-like data, name=value environment information, dumping lastlog file, directory-only listing, logging.

• Decompiled backdoored identd.

• Fakelib, for running binaries in controlled environment.

• MD5 checks of installed files.

• Difference of ssh source against original, autoconfiged and all.

• Good analysis.
• Recoginized different rootkits mixed.

• Excellent timeline.
• Excellent management report.
• Advisory includes good summary of events, excellent signature of how to detect compromise, hints and tips, and references. Even includes missing shutdown command.

• Analysis is excellent. Does not have dcat, but figures it all out, and even gets process environment and lost logging from swap.

• Excellent demo of how to recover lost information with strings/grep from swap and raw disk. Fine demo of how to run a DDOS tool in a shared lib sandbox.

• Outstanding readability, giving 2 bonus points! Very easy to read, excellent format to learn from.

• Notes that the rootkit elements actually come from different Linux Rootkit distributions (4 and 5).

• Identifies the version of "named" to be one relased immediately after a CERT advisory about a BIND vulnerability, and postulates that the binary was created by root@zagnut.goobe.net as a result of a compromise of that system. (Could this person have actually created this version as a result of intrusions himself? Thomas did not know about the OZ rootkit, as identified by Addam Schroll and Andy Polyakov, which may support the latter conclusion.)

• Found some very interesting things in swap space by searching for environment strings. This includes instances of processes run from the account "adm1", including "/bin/su", "/usr/local/sbin/sshd", and "/usr/sbin/named". He also found a copy of Lance's shell running "nc" to copy the images off-system while the system was running! (Good catch.)

• Used a clever shell "for" loop to recover all non-zero deleted i-nodes, and examined them. He found the source distribution for the sshd installed by the intruder, and through difference analysis found the same backdoor and logging features I had found. He even confirmed the backdoor password that was found in /usr/tmp/nap. Strings compiled into the sshd ("/dev/.oz/.nap/rkit/terror") show it, too, is part of the OZ rootkit.

• Did the best job of showing adjusted times in his timeline to match what was stated to be the reference time in CST. (This would aid tremendously when comparing this incident with other related incidents.)

• Did a very thorough job of providing second sources of evidence to support theories, e.g., the use of "su" to become the "drosen" user.

• Very impressive use of fake system calls in a shared object library (fake.so) to analyze the output of a DoS attack tool. This has some very interesting possibilities that I hadn't thought of before for analyzing DoS and DDoS programs! (Mua-ha-ha-ha!! ;)