Overview
chkrootkit is a command-line scanner to locally check for signs of a rootkit on POSIX systems. It performs a set of checks on your system to discover evidence of rootkit installations, including hidden files, suspicious kernel modules, network interfaces in promiscuous mode, and other indicators of compromise. This tool is essential for system administrators and security professionals performing forensic analysis on potentially compromised Unix/Linux systems.
Installation
From Package Manager
# Debian/Ubuntu
sudo apt-get install chkrootkit
# RedHat/CentOS
sudo yum install chkrootkit
# macOS with Homebrew
brew install chkrootkit
From Source
# Download and compile
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar xzf chkrootkit.tar.gz
cd chkrootkit-*
make sense
Verify Installation
chkrootkit -v # Display version information
chkrootkit -h # Display help menu
Basic Usage
| Command | Description |
|---|
chkrootkit | Run all checks with default settings |
chkrootkit -q | Quiet mode - only show warnings/alerts |
chkrootkit -v | Verbose mode - show all output including clean results |
chkrootkit -x | Verbose mode with additional debug output |
sudo chkrootkit | Run with elevated privileges (recommended) |
chkrootkit > report.txt | Save results to file for analysis |
Common Checks
System Binary Verification
# Check for suspicious modifications to system binaries
chkrootkit | grep "INFECTED\|WARNING\|ALERT"
# Scan specific binary locations
chkrootkit -l # List checks to be performed
Kernel Module Detection
# Check for hidden or suspicious kernel modules
lsmod # List loaded modules
chkrootkit | grep -i "module" # Look for module-related alerts
Network Interface Checks
# Verify no interfaces are in promiscuous mode
ifconfig -a
ip link show
# Check for suspicious listeners
netstat -tln
ss -tln
Log File Analysis
# Review system logs for suspicious activity
sudo tail -f /var/log/auth.log
sudo tail -f /var/log/syslog
sudo grep chkrootkit /var/log/syslog
Advanced Options
| Option | Description |
|---|
-r <dir> | Change root directory (for mounted filesystems) |
-e <dir> | Exclude directory from checks |
-p <path> | Specify PATH for binaries |
-s | Run in ‘light’ mode (faster but less thorough) |
-i | Ignore warnings for known rootkits |
-n | Skip NFS checking |
Specific Checks Explained
String Test
# Verify /bin/ls hasn't been replaced
strings /bin/ls | grep "bash" # Suspicious if found
Sniffer Check
# Detect interfaces in promiscuous mode
chkrootkit | grep "SNIFFER"
# Manual verification
tcpdump -D
WTMP/UTMP Check
# Check login logs for suspicious entries
chkrootkit | grep -i "wtmp\|utmp"
lastlog
Rootkit Database Check
# Check against known rootkit signatures
chkrootkit | grep "Searching"
chkrootkit -i # Interactive mode
Running Full System Scan
# Complete system check with detailed output
sudo chkrootkit -v 2>&1 | tee fullscan.log
# Run and immediately highlight issues
sudo chkrootkit | grep -E "INFECTED|WARNING|ALERT"
# Background scan with logging
sudo chkrootkit -q > /var/log/chkrootkit.log 2>&1 &
Interpreting Results
Result Status Codes
| Status | Meaning | Action |
|---|
INFECTED | Rootkit signature detected | Immediate investigation required |
SUSPICIOUS | Suspicious pattern found | Review manually |
WARNING | Potential issue identified | Monitor and log |
OKAY | No issues detected | No action needed |
Example Output Analysis
# INFECTED example - immediate concern
INFECTED: Possible Showtee Rootkit ($somewhere)
# SUSPICIOUS example - needs investigation
SUSPICIOUS: /usr/lib/lib64 directory (/lib64 -> /usr/lib64 is normal on 64-bit)
# OKAY example - normal
PASSWD: /etc/passwd OK
SHADOW: /etc/shadow OK
Integration with Monitoring
Scheduled Scans
# Add to crontab for nightly checks
# Run every night at 2 AM
0 2 * * * /usr/bin/chkrootkit -q >> /var/log/chkrootkit-daily.log 2>&1
# Weekly detailed scan on Sundays
0 3 * * 0 /usr/bin/chkrootkit -v >> /var/log/chkrootkit-weekly.log 2>&1
Log Aggregation
# Send results to syslog
sudo chkrootkit | logger -t chkrootkit
# Grep for alerts
grep "chkrootkit" /var/log/syslog | grep -i "infected\|warning"
Limitations and Considerations
Rootkit-Aware Systems
# Some rootkits can hide from chkrootkit
# Use multiple tools for defense in depth
which chkrootkit # Verify tool location
md5sum /usr/bin/chkrootkit # Verify integrity
# Light scan for production systems
chkrootkit -l # List available checks
# Manually select non-intensive checks
False Positives
# Verify suspicious findings manually
strings /bin/ls | head -20
file /bin/ls
md5sum /bin/ls
Security Best Practices
Pre-Scan Preparation
# Verify chkrootkit integrity
gpg --verify chkrootkit.asc chkrootkit.tar.gz
# Check tool hasn't been modified
ls -la /usr/bin/chkrootkit
stat /usr/bin/chkrootkit
Post-Scan Actions
# Document findings
sudo chkrootkit -v > /var/log/chkrootkit-$(date +%Y%m%d).log
# Compare against previous scans
diff chkrootkit-20260401.log chkrootkit-20260501.log
# Use alongside rkhunter
sudo rkhunter --check --skip-keypress
# Use with aide for file integrity
aide --check | grep "changed"
# Check with rootkit hunter
chkrootkit && rkhunter --check --skip-keypress
Troubleshooting
Common Issues
| Issue | Solution |
|---|
| Permission denied | Run with sudo |
| Command not found | Install package or check PATH |
| Slow scan | Use -s flag or schedule during off-hours |
| False positives | Investigate with strings, file, md5sum |
Diagnostic Commands
# Verify installation
which chkrootkit
chkrootkit -v
# Check for required tools
which md5sum
which find
which strings
# Test basic functionality
chkrootkit -l
References and Resources
# Check for configuration files
ls -la /etc/chkrootkit*
# View man page
man chkrootkit
# Online resources
# Visit: http://www.chkrootkit.org
