LinuxCommandLibrary

chkrootkit

TLDR

Scan system for rootkits

$ sudo chkrootkit
copy
Quiet mode (show infections only)
$ sudo chkrootkit -q
copy
Expert mode with more details
$ sudo chkrootkit -x
copy
Use alternate root directory
$ sudo chkrootkit -r [/mnt/system]
copy
Test specific check
$ sudo chkrootkit [chkwtmp]
copy
List available tests
$ chkrootkit -l
copy

SYNOPSIS

chkrootkit [options] [test...]

DESCRIPTION

chkrootkit locally checks for signs of rootkits. Examines system binaries for modifications, checks for deleted log entries, LKM trojans, and promiscuous network interfaces. Detects 70+ rootkits.

PARAMETERS

-q

Quiet mode, show infections only
-x
Expert mode, show additional info
-r dir
Use alternate root directory
-p dir1:dir2
Custom path for binaries
-l
List available tests
-n
Skip NFS mounted directories

TESTS

chkwtmp

Check wtmp deletions
chklastlog
Check lastlog deletions
ifpromisc
Check for promiscuous interfaces
chkproc
Check for LKM trojans
strings
Quick strings check

CAVEATS

Not foolproof - advanced rootkits can hide. Use with rkhunter for comprehensive scanning. Set up cron jobs for regular scans. If infection found, isolate system and investigate.

SEE ALSO

rkhunter(1), lynis(1), clamav(1)

Copied to clipboard