chkrootkit(8) System Manager's Manual chkrootkit(8)

chkrootkit - Scan the system for signs of rootkits

chkrootkit [OPTIONS] [TEST...]

chkrootkit examines the target system for signs that it has been tampered with. Some tools which chkrootkit uses can be found in /usr/lib/chkrootkit.

Unlike usual programmes, options cannot be 'combined', so you need to write '-q -n' instead of '-qn'

Enter quiet mode. This suppresses output of tests that find nothing suspicious.

Enter expert mode. This makes many tests produces additional output showing what they have found.

Enter debug mode. This shows exactly what chkrootkit is doing at every step (it includes running chkrootkit with set -x).

Exclude listed files from the results of some tests. The list should be space-separated (which will generally require quoting when run from a shell). You can also specify -e several times. Use this to remove false positives from the result of many tests - see /usr/share/doc/chkrootkit/README.FALSE-POSITIVES.gz.

Similar to -e but only applies to the result of the sniffer test. This test will class standard network managers like systemd-networkd(1), NetworkManager(1) or wpa_supplicant(1) as packet sniffers. You can remove such messages from the output with something like chkrootkit -s '(systemd-networkd|NetworkManager|wpa_supplicant)' (you may want to use a more precise regular expression, see /etc/chkrootkit/chkrootkit.conf). The argument can be any regular expression understood by egrep(1) and is applied to every line of the output of the ifpromisc test .

Specify an alternative $PATH. chkrootkit assumes that standard programmes, like find(1) andgrep(1), are uncompromised. The intention is that you place trusted copies of such binaries where they cannot be modified and invoke with something like chkrootkit -p /media/usb

Use DIR as the root directory. For example, you might mount a compromised disk on an uncompromised system and run chkrootkit -r /mnt.

make some tests ignore NFS-mounted directories.

make some tests ignore file systems of type FSTYPE. This uses find(1)'s -fstype option.

Print available tests.

Print a short help message and exit.

Print version information and exit.

Manual page written by Yotam Rubin <yotam@makif.omer.k12.il>, Marcos Fouces <marcos@debian.org>, Lantz Moore <lmoore@debian.org>, and Richard Lewis <richard.lewis.debian@googlemail.com> for the Debian project. It may be used by others.

strings(1) chklastlog(8) chkwtmp(8)

October 23, 2021