chkrootkit -- locally checks for signs of a rootkit

"Root Kits" and hiding files/directories/processes after a break-in, by Dave Dittrich (Draft).
Know Your Enemy: part III, "They Gain Root", by Lance Spitzner.
Rootkits: How Intruders Hide, by David Brumley.
invisible intruders: rootkits in practice, by David Brumley, published in ;login:, Special Issue: Intrusion Detection (Sept. 1999).
Recognizing and Recovering from Rootkit Attacks, by David O'Brien, published in Sys Admin 5(11) (November 1996), pp. 8-20.
Through the Looking Glass: Finding Evidence of Your Cracker, by Chris Kuethe, published in Issue 36 of Linux Gazette, January 1999.
(nearly) Complete Linux Loadable Kernel Modules -- the definitive guide for hackers, virus coders and system administrators, by pragmatic / THC, version 1.0, released 03/1999.
Attacking FreeBSD with Kernel Modules -- The System Call Approach, by pragmatic / THC, version 1.0, released 06/1999
Solaris Loadable Kernel Modules -- Attacking Solaris with loadable kernel modules, by Plasmoid / THC , version 1.0, (c) 1999.
Abuse of the Linux Kernel for Fun and Profit, by halflife, Phrack 50, April 9, 1997.
Analysis of the T0rn rootkit, by Toby Miller.
Analysis of the KNARK rootkit, by Toby Miller.
check-ps, by Duncan Simpson, is a program that is designed to detect rootkit versions of ps that fail to tell you about selected processes.
rkscan, by Stéphane Aubert, is a kernel-based module rootkit scanner for Linux. It detects Adore (v0.14, v0.2b and v0.24) and knark (v0.59).
rkdet, by Andrew Daviel, is a daemon intended to catch someone installing a rootkit or running a packet sniffer.
Widespread Compromises via "ramen" Toolkit, CERT Incident Note IN-2001-01.
Ramen Internet Worm Analysis, by Max Vision.
ramenfind, by William Stearns, is a tool to detect and remove the Ramen Worm from infected Linux machines.
Lion Worm, security advisory written by Matt Fearnow and William Stearns.
lionfind, by William Stearns, is a tool to detect the Lion Worm on infected Linux machines.
Protection Against The Lion Worm By Chris Brenton.
Adore Worm, security advisory written by Matt Fearnow and William Stearns.
adorefind, by William Stearns, is a tool to detect and remove the Adore Worm on infected Linux machines.
Carbonite v1.0, by Kevin Mandia and Keith J. Jones is a Linux Kernel Module to aid in rootkit detection.
MA-026.062001: Rootkit Attack, security advisory written by the MyCERT about rootkits.
Linux on-the-fly kernel patching without LKM, by sd and devik, Phrack 58, December 12, 2001.
Apache/mod_ssl Worm, CERT Advisory CA-2002-27.
Propagation of "Slapper" OpenSSL/Apache Worm Variants, Internet Security Systems Security Alert.
Other security related links