| FILES AND DIRECTORIES |
 |
| File / Dir | Description | How |
| /usr/man/.Ci | C programs, scripts, scanner, ... | Timelines |
| /dev/tpack | ??? | Deleted files |
| /tmp/install.log | Installation of programs | Looking for the .log extension |
| /usr/man/.Ci/temp* | Interesting Deleted Directories & Files | Deleted Files Analysis |
| /var/tmp/nap | username root; passwd:tw1lightz0ne |
| I#: 8133 | Rootkit | Browsing in Deleted Files |
| /var/tmp | eggdrop Deleted Files | Deleted Files Analysis |
| /usr/local/sbin/sshd1 | Ref. to /usr/tmp/nap | Backdoor |
| |
| HISTORYFILES |
| |
| File / Dir | Description | How |
| /home/drosen/.bash_history | tpack actions | Hidden Files & Dirs |
| |
| FRAGMENTS |
| |
| File / Dir | Description | How |
| B#: 8575 (hda8) | passwd creation script | Searching for passwd string |
| B#: 34539 (hda8) | passwd encryption | Searching for passwd string |
| B#: 96117-8 (hda8) | Trojani Installation Script | Search for netstat |
| B#: 100801- (had8) | Exploit | Search r00t |
| |
| LOG FILES |
| |
| File / Dir | Description | How |
| /var/log/secure | telnet connection | IP Address Searches |
| |
| ROOTKIT ANALYSIS |
| I#: 8133 | |
| |
| SUSPECT TERRORIST |
| toro00@yahoo.com | Mavi Mehdi | 3 Mimosa, Irvine CA, 92612 |
| | | Staminus Communications / Falcon Networks, 502 S Harbour Blvd, Fullerton, CA 92832 |
| |
