I don't advise running for long... but... write yourself a script like this for starters...
#!/bin/bash for R in `rpm -qa` do echo "Checking package $R" rpm -V $R done
If you boot off a rescue disk (say the FC3 one) then you can use the rpm --dbpath option to use a trusted RPM running on a trusted kernel against your on-disk database.
Note that in recent RH you can also install a RPM database of the *distribution* and verify aganist that. This catches the instance where the rootkit updated RPM.
Also, dropping chkrootkit on the CD is very worthwhile.
Don't forget to reinstall the grub bootloader after checking grub is OK, you don't want to be booting off a hidden compromised kernel from a compromised bootloader.
And the above if the problem I have with the "recover the machine" approach. You've got the be smarter than the rootkit author. And since your machine *was* compromised, you're probably not.
Buying another disk, installing a supported OS (say CentOS or FC), and copying the data and audited configurations can be done even by the most sleep-deprived sysadmin.
Cheers, Glen -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
