1) Pick your favorite service which is known to have exploitable versions
In this case, the exploitable service was the NFS mount daemon that ships with RedHat Linux 5.2 and earlier. Some details can be found in CERT Advisory CA-98.12. The exploit basically works by overrunning a buffer in the mountd binary in such a way as to cause the machine to execute arbitrary code of the cracker's choosing.
2) Obtain or write code to exploit the vulnerability, and hit the target with it
This is typically trivial. Script kiddies seems to like to share their tools. The tool we recovered from this breakin appears to work by creating a new server on port 10752 that just consists of a shell running as root. Once you exploit the machine, you can telnet to the port and you're root.
3) Transfer the root kit to the machine and install it
This is pretty straightforward. The root kit (anivpack in this particular case) might've been ftp'd over or scp'd over. Installation is as simple as running the kit's built in "install" script. Although all root kits are different, this particular one creates a directory "/lib/ " into which it drops a set of scanning and exploit tools. It then proceeds to replace most of the system binaries (du, find, sshd, inetd, killall, login, ls, netstat, passwd, ps, syslogd, tcpd, and top). ls, ps, netstat, and top are speciall hacked to hide the aforementioned directory and any of the servers that get installed on the machine. sshd and passwd appear to be set up to log usernames and passwords that are typed into them.
4) Start a sniffer
In addition to the nice stream of logged usernames and passwords from the trjoaned servers, a password sniffer ensures continuous access to many machines on the same network as the broken box.
$) Share and enjoyBrag on your favorite IRC channel (optional)