Andrew Case has written a great blog post in which he analyzes  the Linux rootkit Phalanx2 with Volatility.

He explains all the common steps:

  • Dump the memory with lime.
  • List hidden processes.
  • File descriptors opened by the hidden process ( open sockets!).
  • Network connections.
  • Hooked system callas
  • Recover

At the end of the post, Andre Case makes a complete forensic analysis of the kernel modules and the binaries used to inject the rootkit.