chkrootkit

Enable [q]uiet mode and suppress normal test results

$ chkrootkit -q

$ chkrootkit -x

$ chkrootkit -d

$ chkrootkit -e "[path/to/file]"

$ chkrootkit -r [path/to/directory]

$ chkrootkit -n

$ chkrootkit -T [filesystemtype]

$ chkrootkit -l

chkrootkit [options]

-h
    Displays a help message and exits.

-V
    Displays the version information and exits.

-q
    Runs in quiet mode, suppressing most output except for warnings or potential findings.

-x
    Runs in expert mode, performing additional, more detailed checks. This might increase scan time.

-r directory
    Checks the specified directory as the root partition. Useful for checking an unmounted or different filesystem.

-p dir1:dir2:dirN
    Specifies alternate paths for external commands (e.g., strings, netstat) that chkrootkit uses. This is crucial if the system's PATH is compromised.

-l
    Lists all the tests that chkrootkit performs.

-i filename
    Reads a list of tests to perform from the specified filename, one test per line.

-n
    Skips NFS (Network File System) checks, which can sometimes be noisy or unnecessary.

-e directory1:directory2
    Excludes specified directories from being checked when using the -r option.

The chkrootkit command is a shell script that checks your system for known signs of a rootkit, worm, or Local Kernel Module (LKM) infection. It performs a series of tests, including:
comparing system binaries for known signatures,
checking for discrepancies between ls and du output (indicating hidden files),
analyzing process information in /proc for suspicious entries,
and looking for unusual network activity or backdoor programs. It’s designed to be a post-compromise analysis tool but can also be used for regular security auditing. While not a definitive solution, it provides a valuable layer of defense by identifying common rootkit traces.

chkrootkit can produce false positives due to system configuration or legitimate software. It is not foolproof; advanced or unknown rootkits might evade detection. For maximum reliability, it's recommended to run chkrootkit from a trusted medium (e.g., a live CD/USB) on a system with its disks mounted as read-only, as a compromised system might have tampered with the chkrootkit binary itself or its dependencies. It also requires regular updates to its signature database to detect new threats.

For effective use, it is highly recommended to update chkrootkit regularly to ensure its signature database is current. Running it from a known-good, immutable environment (like a live Linux distribution) ensures that the scanner itself hasn't been compromised. Automating scans via cron jobs can provide continuous monitoring, but manual review of the output is often necessary to distinguish true positives from false alarms.

chkrootkit was originally developed by Nelson Murilo and Francisco Ventura in 1999 as a response to the growing threat of rootkits on Linux systems. It quickly gained popularity due to its effectiveness in detecting common rootkit installations and became a staple tool for system administrators and security professionals for both proactive monitoring and post-incident analysis.

rkhunter(8), lynis(8), clamav(1)