teo
- Mactime uses local passwd/group file instead of corpse.
- All mactimes are in the wrong time units (local to analyst?)
so that logfiles and mactimes do not correlate.
- No deleted mactime analysis.
- No file checksum analysis (rpm verify).
- No file disassembly.
- Lastlog analysis misses users not in the passwd file.
- Did unrm analysis.
- Recovered deleted messages file.
- Recovered root bash history messages file.
- Did swap analysis.
- Recovered environment from swap.
- Recovered logging from swap.
- Misdiagnosed "inetd[408]: pid 2387: exit status 1"
as inetd restart.
- Miscalculated clock skew between IDS and victim as 18
minutes.
- Found sniffer and sshd password logger, and the ssh universal
password.
- Gets around rootkit by mounting evidence on loopback. File
filesystem_changes.txt purpose of files and their config files>
They recovered the script that installs all the rootkit
replacement binaries and that links bash history files
to /dev/null.
- Claims the deleted bash_history file is from immediately
after the statd exploit, however the commands in bash_history
that run "uptime" and truncate /etc/hosts.deny correspond
with mactime patterns 8 hours after exploit.
The reason for this mistake is that all mactimes are in
the wrong time units (relative to analyst?).
- Evidence presentation is good, well organized, but fatal errors
made in the analysis. Their mactimes are offset by many hours, thus
no correlation of events with logfiles. They do a lastlog analysis but
miss the users not in the passwd file. There's no checksum analysis,
little strings analysis of programs, no decompilation.
- Summary gives no indication whether user files or other systems
were affected.
- Focus of advisory is on statd vulnerability, but also mention
of what intruder does. detection is OK: linked .bash_history->/dev/null,
sshd in rc.local, minor inaccuracy that /usr/tmp/nap contains
magic password, misses the deleted shutdown account.
- Used available tools, good analysis of swap space.
- Excellent advisory, detailed but simple to read.
- Very good warning about TELNET/FTP to systems.
- evidence.txt file extremely well written.