chkrootkit

Scan system for rootkits

$ sudo chkrootkit

$ sudo chkrootkit -q

$ sudo chkrootkit -x

$ sudo chkrootkit -r [/mnt/system]

$ sudo chkrootkit [chkwtmp]

$ chkrootkit -l

chkrootkit [options] [test...]

chkrootkit locally checks for signs of rootkits on a system. It examines system binaries for known modifications, checks for deleted log entries, detects loadable kernel module (LKM) trojans, and identifies promiscuous network interfaces.
The tool works by comparing system binaries against known signatures of rootkit modifications and by running a series of tests that look for common rootkit behaviors. It can detect over 70 known rootkits and worms. For best results, it should be run from trusted binaries on a clean system or live CD, since a compromised system's tools may hide infections.

-q

Quiet mode, show infections only

Expert mode: outputs raw strings from analyzed binary files for manual inspection

Exclude known false positive files/directories

Use alternate root directory

Custom path for binaries

List available tests

Skip NFS mounted directories

chkwtmp

Check wtmp deletions

Check lastlog deletions

Check for promiscuous interfaces

Check for LKM trojans

Quick strings check

Not foolproof - advanced rootkits can hide. Use with rkhunter for comprehensive scanning. Set up cron jobs for regular scans. If infection found, isolate system and investigate.

rkhunter(1), lynis(1), clamav(1)