"I reviewed my sniffer logs and found that the cracker has logged into an account that I had not seen him use before. Once connected he used a backdoor in pine to escape from the menuing software and run a korn shell. He then changed his directory to a third user's home directory that had never had a connection to the cracker and then into a directory named ... (three dots). Inside that directory he did a ls -l showing a file owned by root that was around 800 MB which he compressed down to about 300 MB using gzip.He then transfered the file transfer tool that we had seen him use a few times to his shell..."
"So the mystery was, what is the file that he transfered with his transfer tool? I could see from our sniffer log that the file had been recreated and continued to grow after he had gziped it. He was running some software as root that was writing to this file from one of our machines! ... I had begun to suspect that what I had found was a sniffer that the cracker was running to capture logins and passwords on our system and on other systems that our users connected to. Running a utility to check the network card showed that it was in promiscuous mode. The ifconfig utility reported that it was not and this told me that he had replaced the system ifconfig command with a rootkit version that lied to us about the promiscuous status of our network interface. So he was running a sniffer on our system."
"We had thousands of logins each day from a large selection of places all over the world. Many of these users then connected to other systems using telnet or FTP. Each time one of our users connected to a system somewhere else the cracker had a new door that he could open. A new system that he could crack or just use to store things. To run his port redirector all he needed was a regular user account on a machine and then he had a new system to cover his tracks with."