The article claims this exploit leaves no trace, but what about Linux atimes (assuming you don't have noatime set)? Eg. if you found multiple shell scripts with similar access times when you know you haven't worked on them at the same time. If this is a workable method of detection then it would be a good idea to avoid accessing any potentially affected files until you have recorded full access times.
