On 4/16/06, George Toft <george@georgetoft.com> wrote:

>
> To preclude a rootkit, you can always boot the box using Knoppix, then
> mount the suspect disk and look at /etc/shadow.
>

Unless it's a kernel-mode rootkit, in which case it more than likely
wouldn't use /etc/shadow.