chkrootkit is a command-line scanner to locally check for signs of a rootkit on POSIX systems. It performs a set of checks on your system to discover evidence of rootkit installations, including hidden files, suspicious kernel modules, network interfaces in promiscuous mode, and other indicators of compromise. This tool is essential for system administrators and security professionals performing forensic analysis on potentially compromised Unix/Linux systems.
# Debian/Ubuntu
sudo apt-get install chkrootkit
# RedHat/CentOS
sudo yum install chkrootkit
# macOS with Homebrew
brew install chkrootkit
# Download and compile
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar xzf chkrootkit.tar.gz
cd chkrootkit-*
make sense
chkrootkit -v # Display version information
chkrootkit -h # Display help menu
| Command | Description |
|---|
chkrootkit | Run all checks with default settings |
chkrootkit -q | Quiet mode - only show warnings/alerts |
chkrootkit -v | Verbose mode - show all output including clean results |
chkrootkit -x | Verbose mode with additional debug output |
sudo chkrootkit | Run with elevated privileges (recommended) |
chkrootkit > report.txt | Save results to file for analysis |
# Check for suspicious modifications to system binaries
chkrootkit | grep "INFECTED\|WARNING\|ALERT"
# Scan specific binary locations
chkrootkit -l # List checks to be performed
# Check for hidden or suspicious kernel modules
lsmod # List loaded modules
chkrootkit | grep -i "module" # Look for module-related alerts
# Verify no interfaces are in promiscuous mode
ifconfig -a
ip link show
# Check for suspicious listeners
netstat -tln
ss -tln
# Review system logs for suspicious activity
sudo tail -f /var/log/auth.log
sudo tail -f /var/log/syslog
sudo grep chkrootkit /var/log/syslog
| Option | Description |
|---|
-r <dir> | Change root directory (for mounted filesystems) |
-e <dir> | Exclude directory from checks |
-p <path> | Specify PATH for binaries |
-s | Run in ‘light’ mode (faster but less thorough) |
-i | Ignore warnings for known rootkits |
-n | Skip NFS checking |
# Verify /bin/ls hasn't been replaced
strings /bin/ls | grep "bash" # Suspicious if found
# Detect interfaces in promiscuous mode
chkrootkit | grep "SNIFFER"
# Manual verification
tcpdump -D
# Check login logs for suspicious entries
chkrootkit | grep -i "wtmp\|utmp"
lastlog
# Check against known rootkit signatures
chkrootkit | grep "Searching"
chkrootkit -i # Interactive mode
# Complete system check with detailed output
sudo chkrootkit -v 2>&1 | tee fullscan.log
# Run and immediately highlight issues
sudo chkrootkit | grep -E "INFECTED|WARNING|ALERT"
# Background scan with logging
sudo chkrootkit -q > /var/log/chkrootkit.log 2>&1 &
| Status | Meaning | Action |
|---|
INFECTED | Rootkit signature detected | Immediate investigation required |
SUSPICIOUS | Suspicious pattern found | Review manually |
WARNING | Potential issue identified | Monitor and log |
OKAY | No issues detected | No action needed |
# INFECTED example - immediate concern
INFECTED: Possible Showtee Rootkit ($somewhere)
# SUSPICIOUS example - needs investigation
SUSPICIOUS: /usr/lib/lib64 directory (/lib64 -> /usr/lib64 is normal on 64-bit)
# OKAY example - normal
PASSWD: /etc/passwd OK
SHADOW: /etc/shadow OK
# Add to crontab for nightly checks
# Run every night at 2 AM
0 2 * * * /usr/bin/chkrootkit -q >> /var/log/chkrootkit-daily.log 2>&1
# Weekly detailed scan on Sundays
0 3 * * 0 /usr/bin/chkrootkit -v >> /var/log/chkrootkit-weekly.log 2>&1
# Send results to syslog
sudo chkrootkit | logger -t chkrootkit
# Grep for alerts
grep "chkrootkit" /var/log/syslog | grep -i "infected\|warning"
# Some rootkits can hide from chkrootkit
# Use multiple tools for defense in depth
which chkrootkit # Verify tool location
md5sum /usr/bin/chkrootkit # Verify integrity
# Light scan for production systems
chkrootkit -l # List available checks
# Manually select non-intensive checks
# Verify suspicious findings manually
strings /bin/ls | head -20
file /bin/ls
md5sum /bin/ls
# Verify chkrootkit integrity
gpg --verify chkrootkit.asc chkrootkit.tar.gz
# Check tool hasn't been modified
ls -la /usr/bin/chkrootkit
stat /usr/bin/chkrootkit
# Document findings
sudo chkrootkit -v > /var/log/chkrootkit-$(date +%Y%m%d).log
# Compare against previous scans
diff chkrootkit-20260401.log chkrootkit-20260501.log
# Use alongside rkhunter
sudo rkhunter --check --skip-keypress
# Use with aide for file integrity
aide --check | grep "changed"
# Check with rootkit hunter
chkrootkit && rkhunter --check --skip-keypress
| Issue | Solution |
|---|
| Permission denied | Run with sudo |
| Command not found | Install package or check PATH |
| Slow scan | Use -s flag or schedule during off-hours |
| False positives | Investigate with strings, file, md5sum |
# Verify installation
which chkrootkit
chkrootkit -v
# Check for required tools
which md5sum
which find
which strings
# Test basic functionality
chkrootkit -l
# Check for configuration files
ls -la /etc/chkrootkit*
# View man page
man chkrootkit
# Online resources
# Visit: http://www.chkrootkit.org
