Forensics 9. Look out for intact logfiles

Their Trojan sshd logs their own accesses :-)

  Aug 29 13:17:05 6D:foo sshd2[120825]:
      log: Server listening on port 13000.
  Aug 29 13:17:05 6D:foo sshd2[120825]:
      log: Generating 768 bit RSA key.
  Aug 29 13:17:06 6D:foo sshd2[120825]:
      log: RSA key generation complete.
  Sep  1 14:47:03 6D:foo sshd2[133087]:
      log: Connection from 1.2.3.4 port 2915
  Sep  1 14:54:47 6D:foo sshd2[133087]:
      log: Closing connection to 1.2.3.4