Goals in checking the machine

• can confirm that machine was compromised
• (impossible to confirm that it was not compromised)
• find breakin method -- assess risks to other machines
• sniffer log may be likely depending on network design
• stolen passwords on local subnet affect system owner
• details of intruder's network use are less critical
  • exploit and DoS programs are likely available elsewhere
  • backdoor login programs are likely available elsewhere
  • details of rootkit installation typically don't matter
  • sniffer code is almost certainly available elsewhere
  • IRC bots and proxy servers are available elsewhere
  • log files related to IRC use may be valuable, though