Chkrootkit (check rootkit) is a tool for searching for rootkits (malicious applications) in an operating system:

    • It is a free and open-source utility available in many distributions.
    • It can detect almost all current rootkits.

    file

    Installation:

    apt-get install chkrootkit  
    
    root@kvmde58-21295:~# apt-get install chkrootkit  
    Reading package lists... Done  
    Building dependency tree  
    Reading state information... Done  
    The following NEW packages will be installed:  
      chkrootkit
    0 upgraded, 1 newly installed, 0 to remove and 73 not upgraded.  
    Need to get 318 kB of archives.  
    After this operation, 1013 kB of additional disk space will be used.  
    Get:1 http://mirror.fornex.org/ubuntu bionic-updates/universe amd64 chkrootkit amd64 0.52-1ubuntu0.1 [318 kB]  
    Fetched 318 kB in 0s (8012 kB/s)  
    Preconfiguring packages ...  
    Selecting previously unselected package chkrootkit.  
    (Reading database ... 126487 files and directories currently installed.)
    Preparing to unpack .../chkrootkit_0.52-1ubuntu0.1_amd64.deb ...  
    Unpacking chkrootkit (0.52-1ubuntu0.1) ...  
    Setting up chkrootkit (0.52-1ubuntu0.1) ...  
    Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
    
    

    Next, you can download the newest version of the archive with the source codes and unpack to a temporary directory.

    wget --passive-ftp ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz  
    tar xvfz chkrootkit.tar.gz  
    cd chkrootkit-*/  
    make sense  
    
    root@kvmde58-21295:~# wget --passive-ftp ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz  
    --2021-02-15 14:16:41-- ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
               => 'chkrootkit.tar.gz'
    Resolving ftp.pangeia.com.br (ftp.pangeia.com.br)... 187.33.4.179  
    Connecting to ftp.pangeia.com.br (ftp.pangeia.com.br)|187.33.4.179|:21... connected.  
    Logging in as anonymous ... Logged in!  
    ==> SYST ... done.    ==> PWD ... done.
    ==> TYPE I ... done.  ==> CWD (1) /pub/seg/pac ... done.
    ==> SIZE chkrootkit.tar.gz ... 41461
    ==> PASV ... done.    ==> RETR chkrootkit.tar.gz ... done.
    Length: 41461 (40K) (unauthoritative)  
    
    chkrootkit.tar.gz 100%[=====================================>] 40.49K 65.7KB/s in 0.6s  
    
    2021-02-15 14:16:44 (65.7 KB/s) - 'chkrootkit.tar.gz' saved [41461]  
    
    root@kvmde58-21295:~# tar xvfz chkrootkit.tar.gz  
    chkrootkit-0.54/ACKNOWLEDGMENTS  
    chkrootkit-0.54/check_wtmpx.c  
    chkrootkit-0.54/chk54.tgz  
    chkrootkit-0.54/chkdirs.c  
    chkrootkit-0.54/chklastlog.c  
    chkrootkit-0.54/chkproc.c  
    chkrootkit-0.54/chkrootkit  
    chkrootkit-0.54/chkrootkit.lsm  
    chkrootkit-0.54/chkutmp.c  
    chkrootkit-0.54/chkwtmp.c  
    chkrootkit-0.54/COPYRIGHT  
    chkrootkit-0.54/ifpromisc.c  
    chkrootkit-0.54/Makefile  
    chkrootkit-0.54/README  
    chkrootkit-0.54/README.chklastlog  
    chkrootkit-0.54/README.chkwtmp  
    chkrootkit-0.54/strings.c  
    root@kvmde58-21295:~# cd chkrootkit-*/  
    root@kvmde58-21295:~/chkrootkit-0.54# make sense
    
    

    You can then move the chkrootkit directory to another location, such as /usr/local/chkrootkit:

    cd .  
    mv chkrootkit-/<version>/usr/local/chkrootkit  
    

    Then create a symlink for easy access:

    ln -s /usr/local/chkrootkit/chkrootkit /usr/local/bin/chkrootkit  
    

    Options for the chkrotkit utility:

    • -h - view help.
    • -V -view version.
    • -l -view the list of tests/checks that the program supports.
    • [ test type ] - execute specified test type (chkrootkit aliens sniffer).
    • -d - enable debug mode.
    • -q - "silent mode" - minimal output of information. Only messages about infected files are output.
    • -x - advanced mode - output of each action performed on each file being examined.
    • -r - definition of the directory which will be used as the root directory.
    • -n - skip checks on NFS partitions.
    • -p dir1:dir2:dirN - paths for external programs used by chkrootkit.

    To check your server with chkrootkit, run the command:

    chkrootkit  
    
    chkrootkit  
    ROOTDIR is `/'  
    Checking `amd'... not found  
    Checking `basename'... not infected  
    Checking `biff'... not found  
    Checking `chfn'... not infected  
    Checking `chsh'... not infected  
    Checking `cron'... not infected  
    Checking `crontab'... not infected  
    Checking `date'... not infected  
    Checking `du'... not infected  
    Checking `dirname'... not infected  
    Checking `echo'... not infected  
    Checking `egrep'... not infected  
    Checking `env'... not infected  
    Checking `find'... not infected  
    Checking `fingerd'... not found  
    Checking `gpm'... not found  
    Checking `grep'... not infected  
    Checking `hdparm'... not infected  
    Checking `u'... not infected  
    Checking `ifconfig'... not infected  
    Checking `inetd'... not infected  
    Checking `inetdconf'... not found  
    Checking `identd'... not found  
    Checking `init'... not infected  
    Checking `killall'... not infected  
    Checking `ldsopreload'... not infected  
    Checking `login'... not infected  
    Checking `ls'... not infected  
    Checking `lsof'... not infected  
    Checking `mail'... not infected  
    Checking `mingetty'... not found  
    Checking `netstat'... not infected  
    Checking `named'... not found  
    Checking `passwd'... not infected  
    Checking `pidof'... not infected  
    Checking `pop2'... not found  
    Checking `pop3'... not found  
    Checking `ps'... not infected  
    Checking `pstree'... not infected  
    Checking `rpcinfo'... not found  
    Checking `rlogind'... not found  
    Checking `rshd'... not found  
    Checking `slogin'... not infected  
    Checking `sendmail'... not infected  
    Checking `sshd'... not infected  
    Checking `syslogd'... not tested  
    Checking `tar'... not infected  
    Checking `tcpd'... not found  
    Checking `tcpdump'... not infected  
    Checking `top'... not infected  
    Checking `telnetd'... not found  
    Checking `timed'... not found  
    Checking `traceroute'... not found  
    Checking `vdir'... not infected  
    Checking `w'... not infected  
    Checking `write'... not infected  
    Checking `aliens'... no suspect files  
    Searching for sniffer's logs, it may take a while...        nothing found  
    Searching for rootkit HiDrootkit's default files...         nothing found  
    Searching for rootkit t0rn's default files...               nothing found  
    Searching for t0rn's v8 defaults...                         nothing found  
    Searching for rootkit Lion's default files...               nothing found  
    Searching for rootkit RSHA's default files...               nothing found  
    Searching for rootkit RH-Sharpe's default files...          nothing found  
    Searching for Ambient's rootkit (ark) default files and dirs... nothing found  
    Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found  
    /lib/modules/4.15.0-128-generic/vdso/.build-id /lib/modules/4.15.0-106-generic/vdso/.build-id
    /lib/modules/4.15.0-128-generic/vdso/.build-id /lib/modules/4.15.0-106-generic/vdso/.build-id
    Searching for LPD Worm files and dirs...                    nothing found  
    Searching for Ramen Worm files and dirs...                  nothing found  
    Searching for Maniac files and dirs...                      nothing found  
    Searching for TC2 Worm default files and dirs...            nothing found  
    Searching for Anonoying rootkit default files and dirs...   nothing found  
    Searching for ZK rootkit default files and dirs...          nothing found  
    Searching for ShKit rootkit default files and dirs...       nothing found  
    Searching for AjaKit rootkit default files and dirs...      nothing found  
    Searching for zaRwT rootkit default files and dirs...       nothing found  
    Searching for Madalin rootkit default files...              nothing found  
    Searching for Fu rootkit default files...                   nothing found  
    Searching for ESRK rootkit default files...                 nothing found  
    Searching for rootedoor...                                  nothing found  
    Searching for ENYELKM rootkit default files...              nothing found  
    Searching for common ssh-scanners default files...          nothing found  
    Searching for Linux/Ebury - Operation Windigo ssh...        not tested  
    Searching for 64-bit Linux Rootkit ...                      nothing found  
    Searching for 64-bit Linux Rootkit modules...               nothing found  
    Searching for Mumblehard Linux ...                          nothing found  
    Searching for Backdoor.Linux.Mokes.a ...                    nothing found  
    Searching for Malicious TinyDNS ...                         nothing found  
    Searching for Linux.Xor.DDoS ...                            nothing found  
    Searching for Linux.Proxy.1.0 ...                           nothing found  
    Searching for suspect PHP files ...                          nothing found  
    Searching for anomalies in shell history files...           nothing found  
    Checking `asp'... not infected  
    Checking `bindshell'...                                     INFECTED PORTS: ( 465)  
    Checking `lkm'... chkproc: nothing detected  
    chkdirs: nothing detected  
    Checking `rexedcs'... not found  
    Checking `sniffer'... lo: no promisc and no packet sniffer sockets  
    eth0: no promisc and no packet sniffer sockets  
    Checking `w55808'... not infected  
    Checking `wted'... chkwtmp: nothing deleted  
    Checking `scalper'... not infected  
    Checking `clapper'... not infected  
    Checking `z2'... chklastlog: nothing deleted  
    Checking `chkutmp'... chkutmp: nothing deleted  
    Checking `OSX_RSPLUG'... not tested
    
    

    While chkrootkit is running it sends the following notifications

    • INFECTED - this program may refer to known hostile code samples (rootkit)
    • not infected - no known rootkit signatures
    • not tested:
        • the test failed for one of the following reasons
        • test is not applicable to the current operating system
        • no external program can be used
        • shell options set to disable the test
    • not found - the program was not found, so it was not tested
    • Vulnerable but disabled - the program is infected, but is not used (not launched) at the moment of check

    From the report we get, we can see something like this

    Checking `bindshell'... INFECTED (PORTS: 465)  
    

    Don't worry, when you get this message on your mail server, it is an SMTPS (Secure SMTP) port on your mail system and a well known false positive.

    Chkrootkit runs a full system scan on all available tests by default. If the scanner detects something suspicious, it will only display information about the problem and will not remove or fix it. The user has to deal with each alert by himself, carefully studying the problem and making sure that it is not an error or false alarm but a real threat.


    You can run chkrootkit on a cron job and get the results by e-mail
    First, find out the path where chkrootkit is installed on your server:

    which chkrootkit  
    
    root@kvmde58-21295:~# which chkrootkit  
    /usr/sbin/chkrootkit
    

    Chkrootkit is installed at /usr/sbin/chkrootkit, we need this path in the cron line below:

    crontab -e  
    

    For example:

    0 3 * * * * * /usr/sbin/chkrootkit 2&gt;&amp;1 | mail -s "chkrootkit Report" your_mail@box  
    

    The check will run daily, at 3am
    Replace the chkrootkit path with the one you received the command from above, and specify your mail address where the mail will be sent to.


    If you have configuration difficulties or have further questions, you can always contact our support team via ticket system.</version>