Scroll to navigation

chkrootkit(8) System Manager's Manual chkrootkit(8)

NAME

chkrootkit - Scan the system for signs of rootkits

SYNOPSIS

chkrootkit [OPTION]... [TESTNAME]...

DESCRIPTION

chkrootkit examines the target system for signs that it has been tampered with. Some tools which chkrootkit uses can be found in /usr/lib/chkrootkit.

OPTIONS

Unlike usual programmes, options cannot be 'combined', so you cannot need to write '-q -n' instead of '-qn'

Enter quiet mode. This suppresses output of tests that find nothing suspicious.

Enter expert mode. This makes many tests produces additional output showing what they have found.

Enter debug mode. This shows exactly what chkrootkit is doing at every step (it includes running chkrootkit with 'set -x').

-e "FILE1FILE2...]"
Exclude listed files from the results of some tests. The list should be pace-separated (which will generally require quoting when run from a shell. You can also specify -e several times). Use this to remove false positives from the result of many tests - see /usr/share/doc/chkrootkit/README.FALSE-POSITIVES.

Similar to -e but only applies to the result of the sniffer test. This test will flag standard network managers like systemd-networkd(1), NetworkManager(1) or wpa_supplicant(1) as PACKET SNIFFER s, and you can remove such messages from the output with something like chkrootkit -s '(systemd-netword|NetworkManager|wpa_supplicant)', where the argument lists whicher managers you expect to be present. The argument can be any regular expression understood by egrep(1).

-p DIR1[:DIR2...]
Specify an alternative $PATH. chkrootkit assumes that standard programmes, like find(1) andgrep(1), are uncompromised. The intention is that you place trusted copies where they cannot be modified and invoke with something like chkrootkit -p /media/usb

DIR Use DIR as the root directory. For example, you might mount a disk on an uncompromised system and run chkrootkit-r/mnt

make some tests ignore NFS-mounted directories.

Print available tests. These are the following:
aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper slapper z2 chkutmp OSX_RSPLUG amd basename biff chfn chsh cron crontab date du dirname echo egrep env find fingerd gpm grep hdparm su ifconfig inetd inetdconf identd init killall ldsopreload login ls lsof mail mingetty netstat named passwd pidof pop2 pop3 ps pstree rpcinfo rlogind rshd slogin sendmail sshd syslogd tar tcpd tcpdump top telnetd timed traceroute vdir w write

Print a short help message and exit.

Print version information and exit.

AUTHOR

Manual page written by Yotam Rubin <yotam@makif.omer.k12.il>, Marcos Fouces <marcos@debian.org> and lantz moore <lmoore@debian.org> for the Debian project. It may be used by others.

SEE ALSO

strings(1) chklastlog(8) chkwtmp(8)

October 23, 2021