Thanks Vladimir, I suppose I could pull the necessary files from busybox as a means of keeping a more generic Linux system in security trim. This might be a useful tool set to suggest upstream. A statically linked less would allow a quick check for the hidden user. A statically linked chkrootkit would find the bad file size for the affected glib libraries. {^_^} Joanne On 2016-09-07 03:36, Vladimir Mosgalin wrote: > Hi jdow! > > On 2016.09.06 at 23:15:04 -0700, jdow wrote next: > >> Is there any source for a VI, VIM, or even EMACS that has all libraries >> compiled into it statically? That would make monitoring for the rootkit much >> easier. The same could be said for utilities such as chkrootkit. With >> compiled in static libraries these level three (user space) rootkits can't >> edit the results you get, as easily. (Any file system components in user >> space would also have to be statically linked.) > > Busybox would work. It's usually build statically (either that, or it's > easy to make that kind of build) and includes vi clone. Very poor man's > vi, just like other busybox utilities, but nevertheless. Current version > supports some neat stuff like autoindent and undo. >