The attacker had not really attempted to cover his or her tracks at all, which made the analysis surprisingly quick and easy. For example, the .bash_history file was still intact and had a complete list of commands that had been executed since the attacker logged on. It could have been a cleverly planted fake, or had portions deleted, but the general skill level displayed suggested not.

Some of these commands were aimed at downloading various archives from the internet, unpacking them and executing programs within them. They were semi-hidden by storing them in a directory /tmp/. (that's a dot space as the subdirectory name). One of these files, local.tar.gz was a good collection of privilege escalation exploits — that is, programs that run as a normal user would give root access if the machine was vulnerable to that particular exploit. For example, one program was called do_brk and attempted to gain root using the Linux do_brk issue. Fortunately the machine was patched up to date, and the attacker had to make do with their unprivileged user account. After a while, they obviously gave up and turned to other things.

One of the kits that the attacker downloaded from the Net was obviously designed for sending phishing email to eBay users. Fortunately, the machine had not been set up to exchange email with our central mail server — we had taken the precaution of banning port 25/tcp outbound at the firewall for everything that wasn't a corporate mail server. Because the mail couldn't be delivered, this is the bounce that ended up in the user's mailbox:

From MAILER-DAEMON Mon Jun 27 07:54:24 2005
Return-path: <>
Envelope-to: upload@victim
Received: from mail by victim.fqdn.example.com with 
  local (Exim 3.36 #1 (Debian))
id 1DmdCy-0005h9-00
for <upload@victim>; Mon, 27 Jun 2005 07:54:24 +1200
X-Failed-Recipients: entdbiz@yahoo.com
From: Mail Delivery System <Mailer-Daemon@victim>
To: upload@victim
Subject: Mail delivery failed: returning message to sender
Message-Id: <E1DmdCy-0005h9-00@victim.fqdn.example.com>
Date: Mon, 27 Jun 2005 07:54:24 +1200
This message was created automatically by mail
  delivery software (Exim).
A message that you sent could not be delivered to one
  or more of its recipients. This is a permanent error. 
  The following address(es) failed:
entdbiz@yahoo.com
unrouteable mail domain "yahoo.com"
------ This is a copy of the message, including all the headers. ------
Return-path: <upload@victim>
Received: from upload by victim.fqdn.example.com 
  with local (Exim 3.36 #1 (Debian))
id 1DmdCy-0005h5-00
for <entdbiz@yahoo.com>; Mon, 27 Jun 2005 07:54:24 +1200
From: ***Urgent Safeharbor Department 
  Notice*** <service@eBay.com>
To: entdbiz@yahoo.com
Subject: eBay Fraud Mediation Request
Content-Type: text/html
Message-Id: <E1DmdCy-0005h5-00@victim.fqdn.example.com>
Sender: Upload acct <upload@victim>
Date: Mon, 27 Jun 2005 07:54:24 +1200
Status: Final

This is the local mailer daemon complaining that it couldn't deliver the latter part of the text, which is an email purporting to be from service@ebay.com, and which was asking for people to enter their account details on a bogus website.