14. Check for a rootkit --- again

Check for a rootkit again. Given that you have now booted from clean media and mounted the hacked system's disk as a slave (or mounted a low-level dump), we are no longer looking for suspicious processes, connections or traffic; we focus on the filesystem. This time we have no potentially-wrapped/intercepted system-calls to worry about so can have more confidence in the results:

• verify all files, by using MD5 checksums, against your local database, or via the the Solaris Fingerprint Database, or similar, or, if you don't have an MD5 database available, against another (clean) machine at the same patch-level.
  
  
• given the approximate date of the intrusion, use find and/or ls -lR, again, to check for recent changes to files;
  
  
• retry chkrootkit and rkhunter — assuming the hacked disk is mounted at /mnt/hacked, then

          chkrootkit -r /mnt/hacked
          rkhunter --rootdir /mnt/hacked