Notes:
MAC = Modified, Accessed, Changed These timestamps are stored in each inode.
I should have constructed a MACtime list that included the system binaries and other files. This would have presented a better picture of the attackers actions, possibly pinpointing exactly when he or she returned to the system. At the very least it might have given some insight on the activity after the compromise
trojans and backdoors. That password log file needs to capture from somewhere... HMMM.Well lookie here!
$ strings $ROOTKIT/usr/local/sbin/sshd1 | grep nap
/usr/tmp/nap