chkrootkit is a tool to locally check for signs of a rootkit. It contains:

• chkrootkit: a shell script that checks system binaries for
  rootkit modification.
• ifpromisc.c: checks if the network interface is in promiscuous
  mode.
• chklastlog.c: checks for lastlog deletions.
• chkwtmp.c: checks for wtmp deletions.
• check_wtmpx.c: checks for wtmpx deletions. (Solaris only)
• chkproc.c: checks for signs of LKM trojans.
• chkdirs.c: checks for signs of LKM trojans.
• strings.c: quick and dirty strings replacement.
• chkutmp.c: checks for utmp deletions.

chkwtmp and chklastlog *try* to check for deleted entries in the wtmp and lastlog files, but it is *not* guaranteed that any modification will be detected.

Aliens tries to find sniffer logs and rootkit config files. It looks for some default file locations — so it is also not guaranteed it will succeed in all cases.

chkproc checks if /proc entries are hidden from ps and the readdir system call. This could be the indication of a LKM trojan. You can also run this command with the -v option (verbose).

(source)

chkrootkit in action: (remember you have to be root in order to run chkrootkit.)

pavs