Anyhow, the last posts told you about Herman. Herman gets sent to the system, logs in as a root-level user on the server (and hides from the logging program), and grabs an unused port (never the same one each time), and waits.
What is he waiting for? Well, most systems talk to other systems for various reasons. They send data back and forth. Herman's job it to wrap himself around one of those data packets, then get transferred to another system. On arrival on the other system, the Herman wrapper gets executed (run) on that system. That program is the tiny Herman requester. Herman gets transferred to that system, and sets up shop. He modifies the logging system and logging files, grabs root (administrator) access, erases his tracks into the system, sets up a port (a different number), then waits.
Herman knows how to get into other systems. But I didn't want Herman to get into every system it found. That would clog things up a bit. So each Herman had a limit of the number of systems that it would transfer to. I could contact any one of the installed Herman's (remember that Herman sent me a message telling me about his new home) and get him to find more systems. I just send Herman a special command sequence, and Herman obeys the command. Herman had several commands he recognizes, one of them was the 'clone' command.
Another command was the copy-and-forward packets command.
Remember that the whole point of this process is to find out where the copied data was being sent to. And based on that information, figure out why the data packets were being copied, and where they were being sent.