Comments on comments
@Adam Williamson
Did so on the Debian boxes, all machines are updated regularly. We found the rootkit on a few up to date Redhat 5 boxes. I do not think the two are related.
@Richard Hebert
You probably want to download rkhunter and chkrootkit from the noted sites. There is no guarantee that any given distro is up to date or has not modified the package. I used the two programs built from source downloaded from the noted web sites. I did detect Phalanx successfully.
@Colin Wilson
Yes and no. Linux doesn't suffer from a registry, but there's no reason why a rootkit cannot be used to patch standard binaries. So maybe one uses tripwire or some such and can detect this. Problem is that no Linux distro that I've ever seen installs and runs tripwire by default.
@Peter Gathercole
Good rules and I in fact use them all. Linux being multi-user it's hard to enforce them across the board. Couple that with known exploits and something like a rootkit is going to succeed occaionally anyway.
"Lazy Admins"
1) I don't know that this is entirely fair, or at least not all the time. The RH5 boxes I found the rootkit on were fully patched, their admin had yum running update as a daily cron job. There was no "unpatched openssl or weak Debian keys" and the kernel was also current.
2) So, what should we do: regularly delete all the users' keys, force them to recreate the keys, and change the system's keys? Basically that would break so much functionality that they might as well use Windows. IMHO, that's not a vigilant admin that's a fascist admin.
3) Accounts will get compromised whether they are on a Windows, Mac or Linux box, offering an entry for the back hats. The means of subverting an account are numerous and not all involve software weaknesses - you'll have heard of social engineering and the ubiquitous sticky note?