LinuxCommandLibrary

chkrootkit

Check system for known rootkits

TLDR

Enable [q]uiet mode and suppress normal test results

$ chkrootkit -q
copy

Enable e[x]pert mode and produce additional outputs
$ chkrootkit -x
copy

Enable [d]ebug mode to show all output
$ chkrootkit -d
copy

Specify [e]xcluded files for some tests
$ chkrootkit -e "[path/to/file]"
copy

Specify a directory as the [r]oot for testing (e.g. mounted ext drives)
$ chkrootkit -r [path/to/directory]
copy

Ignore [n]fs-mounted directories
$ chkrootkit -n
copy

Invoke [T]ests and ignore specific filesystem types
$ chkrootkit -T [filesystemtype]
copy

Generate [l]ist of available tests
$ chkrootkit -l
copy

SYNOPSIS

chkrootkit [options]

PARAMETERS

-q
    Quiet mode; suppresses output unless infection detected

-x
    Expert mode; displays all test results

-h, --help
    Show help message and usage

-V, --version
    Display version information

-p <limit>
    Limit process scan to specified number

-o <logfile>
    Log output to specified file

-v
    Verbose mode; more detailed output

-e
    Update signature databases

-d
    Debug mode for troubleshooting

-4
    IPv4 scanning only

-6
    IPv6 scanning only

DESCRIPTION

chkrootkit is a widely used open-source scanner designed to detect known rootkits, backdoors, trojans, portknocking, and exploits on Unix/Linux systems.

It performs over 70 tests by scanning critical system binaries (e.g., ps, netstat, ls, ifconfig), hidden processes, suspicious files in common trojan directories, SUID/SGID binaries, and network interfaces for promiscuous mode or sniffer activity. Tests include string matches in binaries for rootkit signatures, interface status checks, process scans via /proc, and log file analysis for login anomalies.

Run as root for comprehensive results. Output categorizes findings as INFECTED, suspect, or not found. It's fast and lightweight but relies on signatures and heuristics, making it effective against known threats yet prone to evasion by advanced rootkits.

Ideal for quick integrity checks during incident response or routine security audits, though pairing with tools like rkhunter is recommended for better coverage.

CAVEATS

May produce false positives on customized systems; signature-based so misses zero-days; requires root privileges for full scans; not a real-time monitor—run periodically.

COMMON TESTS

Checks binaries like ps, ss, lsmod; hidden procs; promiscuous interfaces; trojan dirs (/tmp, /dev); SUID changes.

EXIT CODES

0: OK; 1: Infected detected.

HISTORY

Developed by Fernando Henrique Lamana and Nimbul Ltd. around 2002; actively maintained with periodic signature updates; popular in early 2000s for pre-AV era rootkit hunting.

SEE ALSO

rkhunter(8), lynis(8), aide(1), debsums(1)

Copied to clipboard