To home page

Installing and using chkrootkit

How to scan your server for rootkits and set up automated security checks.

Chkrootkit (check rootkit) is a free, open-source tool for detecting rootkits and other malicious software on Linux systems. It can identify virtually all known modern rootkits and is available in most major distributions.

The tool works on both VPS and dedicated servers.

Installation

Option 1 — via package manager (recommended):

apt-get install chkrootkit

Option 2 — build from source (to get the latest version):

wget --passive-ftp ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar xvfz chkrootkit.tar.gz
cd chkrootkit-*/
make sense

Once built, move it somewhere sensible:

cd ..
mv chkrootkit-/ /usr/local/chkrootkit

Create a symlink so you can call it from anywhere:

ln -s /usr/local/chkrootkit/chkrootkit /usr/local/bin/chkrootkit

Command-line options

Option Description
-h Show help
-V Show version
-l List all available tests
-d Enable debug mode
-q Quiet mode — only output infected files
-x Extended mode — verbose output for every file checked
-r dir Use the specified directory as root
-n Skip checks on NFS mounts
-p dir1:dir2 Specify paths for external programs used by chkrootkit

Running a scan

To run a full system check:

chkrootkit

Sample output:

ROOTDIR is /' Checking amd'...                                           not found
Checking basename'...                                      not infected Checking cron'...                                          not infected
Checking find'...                                          not infected Checking ls'...                                            not infected
Checking ps'...                                            not infected Checking sshd'...                                          not infected
...
Checking `bindshell'...                                     INFECTED (PORTS: 465)
...

Understanding the output

Status Meaning
not infected No known rootkit signatures detected
INFECTED The program matches a known rootkit or malware signature
not found The program wasn't found on the system and wasn't checked
not tested Test skipped — not applicable to this OS, missing dependency, or disabled by a flag
Vulnerable but disabled Program is infected but not currently running

Known false positive: if you see Checking 'bindshell'... INFECTED (PORTS: 465) on a mail server, don't panic. Port 465 is SMTPS (Secure SMTP) — this is a well-documented false alarm that chkrootkit has always triggered on mail servers.

Important

chkrootkit reports problems — it doesn't fix them. Every warning needs to be investigated manually to determine whether it's a genuine threat or a false positive before taking any action.

Automating scans with cron

You can schedule regular scans and have the results emailed to you automatically.

First, find the full path to chkrootkit:

which chkrootkit

Output:

/usr/sbin/chkrootkit

Open your crontab:

crontab -e

Add a job — for example, to run a full scan every night at 3:00 AM:

0 3 * * * /usr/sbin/chkrootkit 2>&1 | mail -s "chkrootkit Report" your@email.com

Replace the path with the one returned by which chkrootkit and update the email address to your own.

Help

If you have any questions or need assistance, please contact us through the ticket system — we're always here to help!

Need help?Our engineers will help you free of charge with any question in minutesContact us