A simple and powerful way to determine if executable binaries or scripts, or libraries have been trojanned is to maintain and use a MD5 checksum database. Several popular utilities are available which implement this idea including Tripwire (commercial software), AIDE and Cheesewire; inode values can also be usefully stored.

Usage is simple: update the database each time the system is patched; copy the database to a remote, secure location (or burn to CD-R); periodically compare MD5 values (and inode values) of installed files to those in the database — or check after a suspected intrusion. Differences from the database indicate trojanned files. For most reliable results, mount the suspect filesystem as slave after booting from clean media.