Projects / chkrootkit

chkrootkit

chkrootkit is a tool to locally check for signs of a rootkit. It contains a chkrootkit: shell script that checks system binaries for rootkit modification. The following tests are made: aliens, asp, bindshell, lkm, rexedcs, sniffer, wted, z2, amd, basename, biff, chfn, chsh, cron, date, du, dirname, echo, egrep, env, find, fingerd, gpm, grep, hdparm, su, ifconfig, inetd, inetdconf, identd, killall, login, ls, mail, mingetty, netstat, named, passwd, pidof, pop2, pop3, ps, pstree, rpcinfo, rlogind, rshd, slogin, sendmail, sshd, syslogd, tar, tcpd, top, telnetd, timed, traceroute, and write. ifpromisc.c checks whether the interface is in promiscuous mode, chklastlog.c checks for lastlog deletions, chkwtmp.c checks for wtmp deletions, check_wtmpx.c checks for wtmpx deletions (Solaris only), and chkproc.c checks for signs of LKM trojans.

Tags
Licenses
Operating Systems

Recent releases

  •  21 Apr 2008 14:30

    Release Notes: New tests were added for common SSH brute force scanners and suspicious PHP files. The tests for login, netstat, top, and backdoor were enhanced. Some minor bugs were fixed.

    •  07 Apr 2005 12:01

      Release Notes: A chkutmp.c program that displays users that may have wiped themselves from the utmp log was added. chkproc.c now has better support for Linux threads. A new chkutmp test was added to chkrootkit, and Fu, Kenga3, and ESRK can now be detected.

      •  06 Nov 2004 05:18

        No changes have been submitted for this release.

        •  09 Apr 2004 17:27

          Release Notes: C++ comments have been removed from chkproc.c. New rootkits detected: AjaKit and zaRwT. New CGI backdoors are detected. ifpromisc.c has better detection of promiscuous mode on newer Linux kernels. There is a new command line option (-n) to skip NFS-mounted directories. There are minor bug corrections.

          •  23 Jun 2003 22:02

            Release Notes: There is a fix for NPTL threading mechanisms, minor corrections, chkrootkit, a new test (vdir), detection of the worms 55808.A and TC2, and detection of the rootkits Volc, Gold2, Anonoying, Suckit (improved), and ZK (improved).

            Recent comments

            07 Feb 2012 18:53 ratsg

            is there an english version of the home page ::: http://www.chkrootkit.org/ or another online documentation page

            13 Feb 2004 01:00 sree123

            cpanel cgi-sys folder for back door checks
            chkrootkit does not include /usr/local/cpanel/cgi-sys
            while checking for back door cgi's

            We need to edit chkrootkit
            line 708
            from
            var/lib/httpd/cgi-bin usr/local/httpd/cgi-bin usr/local/apache/cgi-bin \
            to
            var/lib/httpd/cgi-bin usr/local/httpd/cgi-bin usr/local/apache/cgi-bin /usr/local/cpanel/cgi-sys \

            Screenshot

            Project Spotlight

            OpenStack4j

            A Fluent OpenStack client API for Java.

            Screenshot

            Project Spotlight

            TurnKey TWiki Appliance

            A TWiki appliance that is easy to use and lightweight.