: Run strings to find embedded keys, URLs, or file paths that the rootkit might be protecting or communicating with. 3. Bypass the Stealth

: Use lsmod to list all currently loaded kernel modules.

. To an outsider, it looked like a corrupted file name from a defunct server. To Elias, it was a ghost from his past.