IMPORTANT: Installation script of this rootkit do not reset the timestamps of files it replace, So you can try to check the last modified date of files to detect file replacement.

Symtomps

Some commands may give the segmentation faults specially netstat and ps

Some command may give this error
error while loading shared libraries: libproc.so.2.0.7

It is possible that you never get any of above errors. :(

Confirm the presence of FKit

Look for /dev/proc/fuckit

Look for /usr/lib/libcps.a

Look for /usr/lib/libtty.a

Ok I think enough evidence

Full FKIT Finger Prints

Advanced users click here to see full installation script of FKit rootkit
click here to see the list of files included in this original rootkit
It replace these command files
/bin/ps
/bin/netstat
/sbin/init

FKit add these command files
/usr/bin/pgrep
/usr/bin/pkill
/usr/bin/skill
/usr/bin/snice
/usr/bin/top
/usr/bin/w
/usr/bin/watch

It add these files too /lib/libproc.so.2.0.7
/usr/lib/libcps.a
/usr/lib/libtty.a
Backdoor scanner and other stuff is in these directories
/dev/proc/toolz
/dev/proc/toolz/scans
/dev/proc/toolz/sploits
/dev/proc/fuckit
/dev/proc/fuckit/config
/dev/proc/fuckit/system-bins

The RK uses a ssh daemon backdoor ( SSH-1.99-OPENSSH_3.3p1 ) which by default listens on port 1984 for connections.

The configuration files are in /dev/proc/fuckit/config/
One can configure the rootkit manually or can use a tool for doing this" "/dev/proc/fuckit/config/rkconf"

"/dev/proc/fuckit/config/lports" - contains the listening ports not to be shown in netstat.
"/dev/proc/fuckit/config/rports" - contains hidden remote ports you are often connecting to
"/dev/proc/fuckit/config/progs" - program names not to be shown in `ps' and `top'
"/dev/proc/fuckit/config/password" - backdoor password

SSH Backdoor config file is: /usr/lib/libcps.a
/dev/proc/fuckit/hax0r (Thats the ssh backdor)

FKit Rootkit (FucKit)

Symtomps

Confirm the presence of FKit

Full FKIT Finger Prints