As an afterthought, what I would recommend, is taking a look at Zeppoo( zeppoo.net). FYI, zeppoo is 2.6 only. >From the docs: "Zeppoo allows you to detect rootkits on the i386 architecture under Linux by using /dev/kmem and /dev/mem. It can also detect hidden tasks, modules, syscalls, some corrupted symbols, and hidden connections. Anti-Rootkits which don't use these methods can be fooled easily." Also of interest, Bypassing Chkrootkit(translated): http://translate.google.com/translate?u=http%3A%2F%2Fwww.zeppoo.net%2Farticles%2FBypasserChkrootkit&langpair=fr%7Cen&hl=en&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools