The first thing a good system admin does when he or she suspects a break-in is search for all files created or modified over the previous few days. One whiff of an intruder and a good admin would be all over Anthrax's login patch within about five minutes.

Anthrax wrote the modification and creation dates down on a bit of paper. He would need those in a moment. He also jotted down the size of the login file.

Instead of tearing out the old program and sewing in a completely new one, Anthrax decided to overlay his patch by copying it onto the top of the old program. He uploaded his own login patch, with his master password encased inside it, but he didn't install it yet. His patch was called `troj'—short for Trojan. He typed:

cat<troj>/bin/login

The cat command told the computer: `go get the data in the file called "troj" and put it in the file "/bin/login"'. He checked the piece of paper where he had scribbled down the original file's creation and modification dates, comparing them to the new patch. The creation date and size matched the original. The modification date was still wrong, but he was two-thirds of the way home.

Anthrax began to fasten down the final corner of the patch by using a little-known feature of the command:

/usr/5bin/date

Then he changed the modification date of his login patch to the original login file's date.

He stepped back to admire his work from a distance. The newly installed patch matched the original perfectly. Same size. Same creation date. Same modification date. With patch in place, he deleted the root account he had installed while visiting port 2001. Always take your garbage with you when you leave.

Now for the fun bit. Snooping around. Anthrax headed off for the email, the best way to work out what a system was used for. There were lots of reports from underlings to the three system users on buying equipment, progress reports on a certain project, updates. What was this project?