Mostly when I suspect that there is rootkit presence on Linux, I run chkrootkit. I am sure mostly all admins prefer the same or summer other tools like rkhunter. Yesterday just of curiosity when I checked the chkrrootkit script I saw that it would check for the default locations where the rootkit infects. A serious attacker will completely re-engineer the code and I am sure these tools will not throw out an error. I believe that the speed with which it scans out the output is because of this.