You want to check for evidence that a rootkit?a program to create or exploit security holes?has been run on your system.
Use chkrootkit. Download the tarfile from http://www.chkrootkit.org, verify its checksum:
$ md5sum chkrootkit.tar.gz
$ tar xvzpf chkrootkit.tar.gz
$ cd chkrootkit-* $ make sense
and run it as root:
More securely, run it using known, good binaries you have previously copied to a secure medium, such as CD-ROM, e.g.:
# ./chkrootkit -p /mnt/cdrom
chkrootkit tests for the presence of certain rootkits, worms, and trojans on your system. If you suspect you've been hacked, this is a good first step toward confirmation and diagnosis.
chkrootkit invokes a handful of standard Linux commands. At press time they are awk, cut, egrep, find, head, id, ls, netstat, ps, strings, sed, and uname. If these programs have been compromised on your system, chkrootkit's output cannot be trusted. So ideally, you should keep around a CD-ROM or write-protected floppy disk with these programs, and run chkrootkit with the -p option to use these known good binaries.
Be sure to use the latest version of chkrootkit, which will be aware of the most recently discovered threats.
The README file included with chkrootkit explains the tests conducted, and lists the full usage information.