Keeping remote root access to a compromised network - question

From: Jim Raynor (unsolved@netcabo.pt)
Date: 11/13/01 

From: "Jim Raynor" <unsolved@netcabo.pt>
To: <focus-linux@securityfocus.com>
Subject: Keeping remote root access to a compromised network - question
Date: Mon, 12 Nov 2001 23:24:03 -0000
Message-ID: <MDEBIKCCDGNJGCPPHPPHIELLCBAA.unsolved@netcabo.pt>

Hi,

My question to all the members of this list is:
- What are the best ways to keep remote root access to a network (at least
one host on the network, that is) that has been compromised?

(Definition of best: most stealth, easier to maintain and so on....)

        This theoretical network is relatively secure, that is, everything is kept
up-to-date (patched for the latest vulnerabilities) has good security
policies (like passwords change periodically, strong user passwords, backups
of "key" files and user junk made regularly...), a good firewall with a good
rule set, IDSs, a system integrity checker (that sends an email to the
administrator or pages him when something is wrong) - not necessarily
protecting all the important files but at least the recommended ones, ...
        Also, the administrator of this network is a fairly experienced with linux
and security but doesn't necessarily spend much time taking care of his
network.

        The the network is running Sendmail, an HTTPD, an FTPD and any other
popular Daemons you want it to.

Whatever,
Jim Raynor