To preclude a rootkit, you can always boot the box using Knoppix, then
mount the suspect disk and look at /etc/shadow.