chkdupexe

The `chkdupexe` command is an internal test executed by the `chkrootkit` utility. It is not designed for direct user invocation.

Users interact with `chkrootkit` which then performs the `chkdupexe` check as part of its routine.

To initiate the check performed by `chkdupexe`, you would run `chkrootkit` itself:
`chkrootkit [options]

-x
    Skipping Tests. Some versions of `chkrootkit` allow specifying tests to skip. While not directly a parameter for `chkdupexe`, you might use `chkrootkit -x chkdupexe` (or similar syntax if supported by the `chkrootkit` version) to exclude this particular check.

-v
    Verbose Output. When `chkrootkit` is run with `-v`, the output from internal tests like `chkdupexe` might be more detailed.

-q
    Quiet Output. Suppresses most output from `chkrootkit`, showing only critical warnings related to all tests including `chkdupexe`.

The `chkdupexe` command is an internal component or test within the `chkrootkit` (Check Rootkit) utility. Its primary function is to scan the filesystem for signs of duplicate executable files. This check is crucial for detecting rootkits or other malicious software that might attempt to hide their presence by creating copies of legitimate system binaries (often with slight modifications) or by creating hard links to disguise their true location. The test looks for executable files that share identical inode numbers (indicating hard links) or identical content, but reside in different paths. It is not a standalone command meant for direct user execution; instead, it is invoked automatically as part of a comprehensive system integrity check when `chkrootkit` is run. Its findings are integrated into `chkrootkit`'s overall report, alerting the user to potential compromises.

Not Standalone: `chkdupexe` is an internal script/test and cannot be run independently from `chkrootkit`.

False Positives: It may report legitimate duplicate executables (e.g., hard links created by package managers, or different versions/paths of the same binary used for specific purposes) as suspicious. Manual investigation is often required to confirm if a reported duplicate is malicious.

Limited Scope: It only checks for duplicate executable files, not other types of files or processes.

The `chkdupexe` test helps identify a specific type of rootkit activity where attackers replace or duplicate system binaries (like `ls`, `ps`, `netstat`) with malicious versions to hide their processes, files, or network connections. By looking for unexpected duplicate executables or executables with mismatched checksums/inodes in different locations, it flags potential compromises.

The test typically scans common executable paths (`/bin`, `/usr/bin`, `/sbin`, etc.) and potentially other user-defined paths. For each executable found, it might compare its inode number with others (for hard links) or calculate a hash/checksum of its content. If identical content or inode is found at different paths, it's flagged as a potential duplicate, indicating a possible rootkit.

The `chkdupexe` test has been an integral part of the `chkrootkit` suite since its early development. `chkrootkit` was initially released in 1997 by Nelson Murilo and is continuously maintained to adapt to new rootkit techniques. The inclusion of `chkdupexe` reflects the common rootkit tactic of hiding malicious binaries by duplicating or replacing legitimate system executables.

chkrootkit(8), rkhunter(8), find(1)