chkrootkit - Scan the system for signs of rootkits
chkrootkit
[OPTION]... [TESTNAME]...
chkrootkit examines the target system for signs that it has
been tampered with. Some tools which chkrootkit uses can be found in
/usr/lib/chkrootkit.
Unlike usual programmes, options cannot be 'combined', so you
cannot need to write '-q -n' instead of '-qn'
- -q
- Enter quiet mode. This suppresses output of tests that find nothing
suspicious.
- -x
- Enter expert mode. This makes many tests produces additional output
showing what they have found.
- -d
- Enter debug mode. This shows exactly what chkrootkit is doing at every
step (it includes running chkrootkit with 'set -x').
- -e "FILE1[ FILE2...]"
- Exclude listed files from the results of some tests. The list should be
pace-separated (which will generally require quoting when run from a
shell. You can also specify -e several times). Use this to remove
false positives from the result of many tests - see
/usr/share/doc/chkrootkit/README.FALSE-POSITIVES.
- -s REGEXP
- Similar to -e but only applies to the result of the sniffer test.
This test will flag standard network managers like
systemd-networkd(1), NetworkManager(1) or wpa_supplicant(1)
as PACKET SNIFFER s, and you can remove such messages from
the output with something like
chkrootkit -s '(systemd-netword|NetworkManager|wpa_supplicant)',
where the argument lists whicher managers you expect to be present. The
argument can be any regular expression understood by egrep(1).
- -p DIR1[:DIR2...]
- Specify an alternative $PATH. chkrootkit assumes that
standard programmes, like find(1) andgrep(1), are
uncompromised. The intention is that you place trusted copies where they
cannot be modified and invoke with something like
chkrootkit -p /media/usb
- -r
- DIR Use DIR as the root directory. For example, you might
mount a disk on an uncompromised system and run
chkrootkit-r/mnt
- -n
- make some tests ignore NFS-mounted directories.
- -l
- Print available tests. These are the following:
aliens asp bindshell lkm rexedcs sniffer w55808 wted
scalper slapper z2 chkutmp OSX_RSPLUG amd basename biff chfn chsh cron crontab
date du dirname echo egrep env find fingerd gpm grep hdparm su ifconfig inetd
inetdconf identd init killall ldsopreload login ls lsof mail mingetty netstat
named passwd pidof pop2 pop3 ps pstree rpcinfo rlogind rshd slogin sendmail
sshd syslogd tar tcpd tcpdump top telnetd timed traceroute vdir w write
- -h
- Print a short help message and exit.
- -V
- Print version information and exit.
Manual page written by Yotam Rubin
<yotam@makif.omer.k12.il>, Marcos Fouces
<marcos@debian.org> and lantz moore
<lmoore@debian.org> for the Debian project. It may be used by
others.
strings(1) chklastlog(8) chkwtmp(8)