New toolkit (maybe)

[Devdas Bhagat <devdas () worldgatein net>]

We had two machines taken out, both running Redhat 6.1. 
The cracker did the following things:
Modified login, ps, ls, who, w, $PATH, netstat, lsof (to put sbin in
first) [Maybe some more modifications as well--being told to do nothing
for ten hours and then do an analysis is not good for the analyser].
Linked /root/.bash_history to /dev/null. 
Changed permissions on the above files, as well as made
/etc/rc.d/rc.sysinit non-executable. 
Installed rtty, cons.saver, ssh[trojan], gib[Perl script to open random
ports], pback, a file called ..{6 nonviewable characters]belina in
/usr/local/man/man1,/dev/hd10, a couple more entries in /dev. 
nas, jcd, qmgr  and auds were installed.
tar was modified on one of the machines, but not the other.

The date on sshd was August 30, the date on the ssh-client and keygen
was June 15  
I had no backup disks (and still have none :() on which to dump the
contents of the disk for forensic analysis, so I can't provide the
files for analysis. [Of course, the data is backed up]

Opened ports 22/tcp, 996/tcp, 12213/tcp, 18186/tcp, 18666/tcp.
 
The machine is rebuilt, so I can't find out which other files were
modified.

Also, the machines being production machines, I couldn't even mount the
disks ro (mail servers), so I can't analyse the logs.

Does anyone know of a toolkit that does this? Particularly the changed
dates.
A google search and a securityfocus search have turned up nothing.

Devdas Bhagat
--
I'm going to Boston to see my doctor.  He's a very sick man.
                -- Fred Allen