teo

• Mactime uses local passwd/group file instead of corpse.

• All mactimes are in the wrong time units (local to analyst?) so that logfiles and mactimes do not correlate.

• No deleted mactime analysis.

• No file checksum analysis (rpm verify).

• No file disassembly.

• Lastlog analysis misses users not in the passwd file.

• Did unrm analysis.

• Recovered deleted messages file.

• Recovered root bash history messages file.

• Did swap analysis.

• Recovered environment from swap.

• Recovered logging from swap.

• Misdiagnosed "inetd[408]: pid 2387: exit status 1" as inetd restart.

• Miscalculated clock skew between IDS and victim as 18 minutes.

• Found sniffer and sshd password logger, and the ssh universal password.

• Gets around rootkit by mounting evidence on loopback. File filesystem_changes.txt purpose of files and their config files> They recovered the script that installs all the rootkit replacement binaries and that links bash history files to /dev/null.

• Claims the deleted bash_history file is from immediately after the statd exploit, however the commands in bash_history that run "uptime" and truncate /etc/hosts.deny correspond with mactime patterns 8 hours after exploit. The reason for this mistake is that all mactimes are in the wrong time units (relative to analyst?).

• Evidence presentation is good, well organized, but fatal errors made in the analysis. Their mactimes are offset by many hours, thus no correlation of events with logfiles. They do a lastlog analysis but miss the users not in the passwd file. There's no checksum analysis, little strings analysis of programs, no decompilation.

• Summary gives no indication whether user files or other systems were affected.

• Focus of advisory is on statd vulnerability, but also mention of what intruder does. detection is OK: linked .bash_history->/dev/null, sshd in rc.local, minor inaccuracy that /usr/tmp/nap contains magic password, misses the deleted shutdown account.

• Used available tools, good analysis of swap space.

• Excellent advisory, detailed but simple to read.

• Very good warning about TELNET/FTP to systems.

• evidence.txt file extremely well written.