Just figured I might add a little direction to this. 1. If its a production system that impacts several users/customers your best bet would be to rebuild the system from scratch, not an image. Yes takes time, but investigating it will likely take longer. As you previously mentioned the folk(s) that were in-charge of the system are no longer in that capacity which could (depending on the "craftiness" of them) could have left an intentional (or not) exploit now plaguing you. 2. If your intent on finding a root cause you will probably need to spend quite a bit of time and caution investigating the said system. As soon as theres mention of a "rootkit" everything is suspect, i.e. ls might not be ls, df may not be df. Might be worth adding the volume to a known good system mounting it and comparing the image/structure and said files. But of course as I mentioned above, if its a critical system then your kind of stuck with an aggressive time line so... Obviously an IDP will mask the issue, but won't fix it. Good luck -Joe Blanchard