[javajosh]

I looked at your script at https://github.com/pschlump/linux-rootkit-expunger/blob/mast... and you're just doing a simple file read of /etc/rc.local. This will not work as the rootkit hides itself.

I suggest you do not claim that your removal tool works until you have tested it successfully. this is true for all software, but is even more critical for something like this, since a false sense of security is actually far worse than just being infected.

[mercurial]

Actually, this may be a way of detecting it. If you ls -l rc.local, ls should read the file size out of its inode (ie, not by reading the file itself). Which means that saving the buffer you get while reading rc.local in vim to another file will result create a file with a different size than the real rc.local.