chkrootkit is a tool to locally check for signs of a rootkit. It contains:
- chkrootkit: shell script that checks systembinaries for rootkit modification.
- ifpromisc.c: checks if the interface is inpromiscuous mode.
- chklastlog.c: checks for lastlog deletions.
- chkwtmp.c: checks for wtmp deletions.
- check_wtmpx.c: checks for wtmpx deletions. (Solaris only)
- chkproc.c: checks for signs of LKM trojans.
- chkdirs.c: checks for signs of LKM trojans.
- strings.c: quick and dirty strings replacement.
- chkutmp.c: checks for utmp deletions.
Chkrootkit is named Top 10 Tools to Scan Linux Servers for Vulnerability and Malware by Cyber Security News.
After 25 years still helping people around world!
What's New
chkrootkit 0.58b is now available! (ReleaseDate: Jul 05 2023)This version includes:
- chkrootkit
- New option to avoid scannig network filesystems (-T)
- Linux BPFDoor Malware detection
- Bug fixes
Tests performed and rootkits detected
The following tests are made:
- aliens asp bindshell lkm rexedcs sniffer w55808 wted scalperslapper z2 chkutmp OSX_RSPLUG amd basename biff chfn chsh croncrontab date du dirname echo egrep env find fingerd gpm grephdparm su ifconfig inetd inetdconf identd init killallldsopreload login ls lsof mail mingetty netstat named passwdpidof pop2 pop3 ps pstree rpcinfo rlogind rshd slogin sendmailsshd syslogd tar tcpd tcpdump top telnetd timed traceroute vdirw write
The following rootkits, worms and LKMs are currently detected:
01. lrk3, lrk4, lrk5, lrk6 (and variants); | 02. Solaris rootkit; | 03. FreeBSD rootkit; |
04. t0rn (and variants); | 05. Ambient's Rootkit (ARK); | 06. Ramen Worm; |
07. rh[67]-shaper; | 08. RSHA; | 09. Romanian rootkit; |
10. RK17; | 11. Lion Worm; | 12. Adore Worm; |
13. LPD Worm; | 14. kenny-rk; | 15. Adore LKM; |
16. sh*tC Worm; | 17. Omega Worm; | 18. Wormkit Worm; |
19. Maniac-RK; | 20. dsc-rootkit; | 21. Ducoci rootkit; |
22. x.c Worm; | 23. RST.b trojan; | 24. duarawkz; |
25. knark LKM; | 26. Monkit; | 27. Hidrootkit; |
28. Bobkit; | 29. Pizdakit; | 30. t0rn v8.0; |
31. Showtee; | 32. Optickit; | 33. T.R.K; |
34. MithRa's Rootkit; | 35. George; | 36. SucKIT; |
37. Scalper; | 38. Slapper A, B, C and D; | 39. OpenBSD rk v1; |
40. Illogic rootkit; | 41. SK rootkit. | 42. sebek LKM; |
43. Romanian rootkit; | 44. LOC rootkit; | 45. shv4 rootkit; |
46. Aquatica rootkit; | 47. ZK rootkit; | 48. 55808.A Worm; |
49. TC2 Worm; | 50. Volc rootkit; | 51. Gold2 rootkit; |
52. Anonoying rootkit; | 53. Shkit rootkit; | 54. AjaKit rootkit; |
55. zaRwT rootkit; | 56. Madalin rootkit; | 57. Fu rootkit; |
58. Kenga3 rootkit; | 59. ESRK rootkit; | 60. rootedoor rootkit; |
61. Enye LKM; | 62. Lupper.Worm; | 63. shv5; |
64. OSX.RSPlug.A; | 65. Linux Rootkit 64Bit; | 66. Operation Windigo; |
67. Mumblehard backdoor/botnet; | 68. Linux.Xor.DDoS Malware; | 69. Backdoors.linux.Mokes.a; |
70. Linux.Proxy.10 | 71. Rocke Monero Miner | 72. Umbreon Linux Rootkit |
73. Linux BPFDoor | 74. Kovid Rootkit | 75. Syslogk Rootkit |