================================================================================
This file contains the description of the interesting data blocks that were 
recovered from the compromised system using the TCT programs unrm and lazarus

The raw blocks can be found in blocks.tar.gz
================================================================================


- block 9:      This contained a piece of an archive.
                I've tried to recover it but some data was missing but
                I could expand a piece of it 
                /last
                /last/ssh       => 1.2.30 SSH
                This seems to be an 1.2.30 ssh client.


- block 8375 and following: This seems to be the deleted ssh we`ve found in block 9 
		because we`ve found the same string /home/Mech/ssh-1.2.30

- block 84375:  This is a piece of a tw.config file for tripwire

- block 84383:  This is the mail sent out to the hacker containing the system details

- block 8499:   This is the install script for the rootkit 

- block 8502:   This block contains the binary of linsniffer

- block 8510:   This contains a bash scrip "sauber" from "socked" which is used as a 			logcleaner. 

- block 8516:   This is the content of lsattr (trojan startup script)

- block 8517:    This contains the hackers /etc/services file

- block 8529:   This is the sense script

- block 8534:   the hackers ssh_host_key
                this contained the address root@dil2.datainfosys.net
                This system is owned by the indian ISP datainfosys.

- block 8537:   A ssh configuration file that uses port 22 and sets PermitRootLogin to 
		yes but it is hacker supplied because it uses the hostkey in 				/dev/ida/.drag-on

- block 8538:   Contains the flooder, portscanner sl2

- block 8547:   This is the last.cg script that permits remote execution of commands 
		using the ISINDEX tag.

- block 8596:   Top binary

- block 8607:   The ssh configurafion file as installed on the system by the hacker

- blocks 100151 - 100278:
		Several copies of /etc/passwd and /etc/shadow were found an
		/etc/nsswitch.conf
		/etc/info-dir
		/etc/inittab
		/etc/group
		/etc/hosts
		/etc/syslog.conf

- block 115050:	This contains a piece of the deleted ps binary.
		This binary contains the string "unknown AIX field descriptor" which is not 		present in the trojaned version

- block 60688:	This contains the /etc/pam.d directory