What can confirm a root compromise?

• files with unauthorized changes by root
• unauthorized new files owned by root
• unauthorized processes running as root
• unauthorized network usage associated with root
  • lsof and netstat for ports listened to, connections
  • nmap for remote checking of ports listened to
  • tcpdump or snoop to view current network traffic
• logs may show that one of these occurred previously