What can confirm a root compromise?
- files with unauthorized changes by root
- unauthorized new files owned by root
- unauthorized processes running as root
- unauthorized network usage associated with root
- lsof and netstat for ports listened to, connections
- nmap for remote checking of ports listened to
- tcpdump or snoop to view current network traffic
- logs may show that one of these occurred previously