Thanks Vladimir,

I suppose I could pull the necessary files from busybox as a means of keeping a 
more generic Linux system in security trim. This might be a useful tool set to 
suggest upstream. A statically linked less would allow a quick check for the 
hidden user. A statically linked chkrootkit would find the bad file size for the 
affected glib libraries.

{^_^}   Joanne

On 2016-09-07 03:36, Vladimir Mosgalin wrote:
> Hi jdow!
>
>  On 2016.09.06 at 23:15:04 -0700, jdow wrote next:
>
>> Is there any source for a VI, VIM, or even EMACS that has all libraries
>> compiled into it statically? That would make monitoring for the rootkit much
>> easier. The same could be said for utilities such as chkrootkit. With
>> compiled in static libraries these level three (user space) rootkits can't
>> edit the results you get, as easily. (Any file system components in user
>> space would also have to be statically linked.)
>
> Busybox would work. It's usually build statically (either that, or it's
> easy to make that kind of build) and includes vi clone. Very poor man's
> vi, just like other busybox utilities, but nevertheless. Current version
> supports some neat stuff like autoindent and undo.
>