The attaker got the rootkit via HTTP, below is the start of the TCP flow:
bash-2.05b$ head -12 062.211.066.053.00080-192.168.100.028.32789 HTTP/1.1 200 OK Date: Fri, 29 Nov 2002 15:45:29 GMT Server: Apache/1.3.26 (Unix) Last-Modified: Fri, 15 Nov 2002 11:11:26 GMT ETag: "4197671-1cc000-3dd4d65e" Accept-Ranges: bytes Content-Length: 1884160 Connection: close Content-Type: application/x-tar Content-Encoding: x-gzip sol/0040755000076500007650000000000007565152413010715 5ustar traintrainsol/dl0100755000076500007650000000131307524117326011234 0ustar traintrainunset HISTFILEWe can seet from the HTTP headers that the file is tar-archive. We can use sed to extract the archive and feed it to tar to see what it contains:
bash-2.05b$ sed -n -e '12,$p' < 062.211.066.053.00080-192.168.100.028.32789| tar -tvf - drwxr-xr-x 2 501 501 0 Nov 15 2002 sol -rwxr-xr-x 1 501 501 715 Aug 7 2002 sol/dl -rwx------ 1 501 501 9056 Apr 26 2002 sol/du -rwx------ 1 501 501 35376 Apr 26 2002 sol/l2 -rwx------ 1 501 501 18120 Apr 26 2002 sol/ls -rwx------ 1 501 501 8332 Apr 26 2002 sol/pg -rwx------ 1 501 501 9492 Apr 26 2002 sol/ps -rwx------ 1 501 501 8772 Apr 26 2002 sol/su -rwx------ 1 501 501 1787 Apr 26 2002 sol/sz drwxr-xr-x 2 501 501 0 Apr 26 2002 sol/etc -rw------- 1 501 501 397 Apr 26 2002 sol/etc/tconf -rw------- 1 501 501 525 Apr 26 2002 sol/etc/ssh_host_key -rw------- 1 501 501 512 Apr 26 2002 sol/etc/ssh_random_seed -rw------- 1 501 501 329 Apr 26 2002 sol/etc/ssh_host_key.pub -rwx------ 1 501 501 11668 Apr 26 2002 sol/fix -rwx------ 1 501 501 13984 Apr 26 2002 sol/ls2 -rwx------ 1 501 501 21424 Apr 26 2002 sol/sn2 -rwx------ 1 501 501 10488 Apr 26 2002 sol/syn -rwx------ 1 501 501 1910 Apr 26 2002 sol/szl -rwx------ 1 501 501 86024 Apr 26 2002 sol/top -rwx------ 1 501 501 9064 Apr 26 2002 sol/find -rw------- 1 501 501 877 Aug 26 2002 sol/logo -rwx------ 1 501 501 12472 Apr 26 2002 sol/lsof -rwx------ 1 501 501 8780 Apr 26 2002 sol/ping -rwxr-xr-x 1 501 501 259832 Apr 26 2002 sol/sshd -rwx------ 1 501 501 17 Apr 26 2002 sol/sver -rwx------ 1 501 501 136288 Apr 26 2002 sol/wget -rw-r--r-- 1 501 501 194539 Apr 26 2002 sol/psy.tar.Z -rw-r--r-- 1 501 501 37809 Apr 26 2002 sol/110646-03.zip -rwx------ 1 501 501 80 Apr 26 2002 sol/sniffload -rwx------ 1 501 501 8672 Apr 26 2002 sol/crypt -rwx------ 1 501 501 15180 Apr 26 2002 sol/idsol -rwx------ 1 501 501 9508 Apr 26 2002 sol/login -rwx------ 1 501 501 8388 Apr 26 2002 sol/rpass -rwxr-xr-x 1 501 501 11369 Nov 15 2002 sol/setup -rwx------ 1 501 501 8024 Apr 26 2002 sol/utime -rw------- 1 501 501 114 Apr 26 2002 sol/x.conf2 -rwx--x--x 1 501 501 7725 Apr 26 2002 sol/findkit -rw-r--r-- 1 501 501 187911 Apr 26 2002 sol/103577-13.tar.Z -rwx------ 1 501 501 260272 Apr 26 2002 sol/ssh-dxe -rw-r--r-- 1 501 501 201027 Apr 26 2002 sol/109662-03.tar.Z -rwx------ 1 501 501 8772 Apr 26 2002 sol/strings -rwx------ 1 501 501 9064 Apr 26 2002 sol/netstat -rw-r--r-- 1 501 501 41775 Apr 26 2002 sol/111606-02.zip -rwxr-xr-x 1 501 501 2869 Apr 27 2002 sol/p-engine -rwx------ 1 501 501 8780 Apr 26 2002 sol/passwd -rw------- 1 501 501 446 Apr 26 2002 sol/x.conf -rwx------ 1 501 501 12874 Aug 26 2002 sol/switch -rw------- 1 501 501 11246 Aug 21 2002 sol/setup.save -rwxr-xr-x 1 501 501 217 Apr 26 2002 sol/startbnc -rwx------ 1 501 501 282 Apr 26 2002 sol/removekit -rwxr-xr-x 1 501 501 732 Apr 26 2002 sol/patch.sol5 -rwxr-xr-x 1 501 501 862 Apr 26 2002 sol/patch.sol6 -rwxr-xr-x 1 501 501 840 Apr 26 2002 sol/patch.sol7 -rwxr-xr-x 1 501 501 1011 Apr 26 2002 sol/patch.sol8 -rwxr-xr-x 1 501 501 488 Apr 26 2002 sol/childkiller -rwx------ 1 501 501 4032 Apr 26 2002 sol/cleaner -rwxr-xr-x 1 501 501 109372 Oct 22 2002 sol/solsch tar: ustar vol 1, 58 files, 1875968 bytes read, 0 bytes written in 1 secs (1875968 bytes/sec) bash-2.05b$