Just got a notice on one of the security mailing lists (Full Disclosure I think) about this article. What's nice is that it explains how to do this without the use of chkrootkit. This is a rather important factor, IMO, since some "rootkit tools" may not be known and/or are "custom-built" jobs. I haven't personally used gdb that often (not being much of a programmer) but it definately is a tool that can help with forensics of a compromised system.


Detecting Rootkits And Kernel-level Compromises In Linux
by Mariusz Burdach November 18, 2004

This article outlines useful ways of detecting hidden modifications to a Linux kernel. Often known as rootkits, these stealthy types of malware are installed in the kernel and require special techniques by Incident handlers and Linux system administrators to be detected.

http://www.securityfocus.com/infocus/1811