We can verify that the rootkit worked by looking at the files created by the rootkit:
[gfk@cesam honeynet]$ su Password: [root@cesam honeynet]# mount -o ro,loop,nodev,noexec honeypot.hda8.dd mnt [root@cesam honeynet]# exit [gfk@cesam honeynet]$ cd mnt [gfk@cesam mnt]$ cat dev/rpm 3 sl2 3 sshdu 3 linsniffer 3 smurf 3 slice 3 mech 3 muh 3 bnc 3 psybnc [gfk@cesam mnt]$ cat dev/last 1 193.231.139 1 213.154.137 1 193.254.34 3 48744 3 3666 3 31221 3 22546 4 48744 4 2222 [gfk@cesam mnt]$ cd dev/ida/.drag-on/ [gfk@cesam .drag-on]$ ls -l total 647 -rwx------ 1 root root 7165 Mar 15 20:45 linsniffer -rwx------ 1 root root 75 Mar 15 20:45 logclear -rwxr-xr-x 1 root root 632066 Mar 15 20:45 mkxfs -rw-r--r-- 1 root root 708 Mar 15 20:45 s -rwxr-xr-x 1 root root 4060 Mar 15 20:45 sense -rwx------ 1 root root 8268 Mar 15 20:45 sl2 -rw------- 1 root root 540 Mar 15 20:45 ssh_host_key -rw------- 1 root root 512 Mar 16 09:45 ssh_random_seed -rw-r--r-- 1 root root 138 Mar 16 11:28 tcp.log [gfk@cesam .drag-on]$ cd "../.. " [gfk@cesam .. ]$ ls -l total 646 -rwx------ 1 root root 7165 Mar 15 20:45 linsniffer -rwx------ 1 root root 75 Mar 15 20:45 logclear -rwxr-xr-x 1 root root 632066 Mar 15 20:45 mkxfs -rw-r--r-- 1 root root 708 Mar 15 20:45 s -rwxr-xr-x 1 root root 4060 Mar 15 20:45 sense -rwx------ 1 root root 8268 Mar 15 20:45 sl2 -rw------- 1 root root 540 Mar 15 20:45 ssh_host_key -rw------- 1 root root 512 Mar 15 20:45 ssh_random_seed -rw-r--r-- 1 root root 0 Mar 15 20:45 tcp.log