LinuxCommandLibrary

chkrootkit

local rootkit detection scanner

TLDR

Scan system for rootkits

$ sudo chkrootkit
copy
Quiet mode (show infections only)
$ sudo chkrootkit -q
copy
Expert mode with more details
$ sudo chkrootkit -x
copy
Use alternate root directory
$ sudo chkrootkit -r [/mnt/system]
copy
Test specific check
$ sudo chkrootkit [chkwtmp]
copy
List available tests
$ chkrootkit -l
copy

SYNOPSIS

chkrootkit [options] [test...]

DESCRIPTION

chkrootkit locally checks for signs of rootkits on a system. It examines system binaries for known modifications, checks for deleted log entries, detects loadable kernel module (LKM) trojans, and identifies promiscuous network interfaces.
The tool works by comparing system binaries against known signatures of rootkit modifications and by running a series of tests that look for common rootkit behaviors. It can detect over 70 known rootkits and worms. For best results, it should be run from trusted binaries on a clean system or live CD, since a compromised system's tools may hide infections.

PARAMETERS

-q

Quiet mode, show infections only
-x
Expert mode: outputs raw strings from analyzed binary files for manual inspection
-e
Exclude known false positive files/directories
-r dir
Use alternate root directory
-p dir1:dir2
Custom path for binaries
-l
List available tests
-n
Skip NFS mounted directories

TESTS

chkwtmp

Check wtmp deletions
chklastlog
Check lastlog deletions
ifpromisc
Check for promiscuous interfaces
chkproc
Check for LKM trojans
strings
Quick strings check

CAVEATS

Not foolproof - advanced rootkits can hide. Use with rkhunter for comprehensive scanning. Set up cron jobs for regular scans. If infection found, isolate system and investigate.

SEE ALSO

rkhunter(1), lynis(1), clamav(1)

> TERMINAL_GEAR

Curated for the Linux community

Copied to clipboard

> TERMINAL_GEAR

Curated for the Linux community