You want to check for evidence that a rootkit—a program to create or exploit security holes—has been run on your system.

Use chkrootkit . Download the tarfile from http://www.chkrootkit.org, verify its checksum:

$ md5sum chkrootkit.tar.gz

unpack it:

$ tar xvzpf chkrootkit.tar.gz

build it:

$ cd chkrootkit-*
$ make sense

and run it as root:

# ./chkrootkit

More securely, run it using known, good binaries you have previously copied to a secure medium, such as CD-ROM, e.g.:

# ./chkrootkit -p /mnt/cdrom

chkrootkit tests for the presence of certain rootkits, worms, and trojans on your system. If you suspect you’ve been hacked, this is a good first step toward confirmation and diagnosis.

chkrootkit invokes a handful of standard Linux commands. At press time they are awk, cut, egrep, find, head , id, ls, netstat, ps, strings, sed, and uname. If these programs have been compromised on your system, chkrootkit’s output cannot be trusted. So ideally, you should keep around a CD-ROM or write-protected floppy disk with these programs, and run chkrootkit with the -p option to use these known good binaries.

Be sure to use the latest version of chkrootkit, which will be aware of the most recently discovered threats.

The README file included with chkrootkit explains the tests conducted, and lists the full usage information.