Projects / chkrootkit


chkrootkit is a tool to locally check for signs of a rootkit. It contains a chkrootkit: shell script that checks system binaries for rootkit modification. The following tests are made: aliens, asp, bindshell, lkm, rexedcs, sniffer, wted, z2, amd, basename, biff, chfn, chsh, cron, date, du, dirname, echo, egrep, env, find, fingerd, gpm, grep, hdparm, su, ifconfig, inetd, inetdconf, identd, killall, login, ls, mail, mingetty, netstat, named, passwd, pidof, pop2, pop3, ps, pstree, rpcinfo, rlogind, rshd, slogin, sendmail, sshd, syslogd, tar, tcpd, top, telnetd, timed, traceroute, and write. ifpromisc.c checks whether the interface is in promiscuous mode, chklastlog.c checks for lastlog deletions, chkwtmp.c checks for wtmp deletions, check_wtmpx.c checks for wtmpx deletions (Solaris only), and chkproc.c checks for signs of LKM trojans.

Operating Systems

RSS Recent releases

  •  21 Apr 2008 07:30

Release Notes: New tests were added for common SSH brute force scanners and suspicious PHP files. The tests for login, netstat, top, and backdoor were enhanced. Some minor bugs were fixed.

  •  07 Apr 2005 05:01

Release Notes: A chkutmp.c program that displays users that may have wiped themselves from the utmp log was added. chkproc.c now has better support for Linux threads. A new chkutmp test was added to chkrootkit, and Fu, Kenga3, and ESRK can now be detected.

  •  05 Nov 2004 21:18

No changes have been submitted for this release.

  •  09 Apr 2004 10:27

Release Notes: C++ comments have been removed from chkproc.c. New rootkits detected: AjaKit and zaRwT. New CGI backdoors are detected. ifpromisc.c has better detection of promiscuous mode on newer Linux kernels. There is a new command line option (-n) to skip NFS-mounted directories. There are minor bug corrections.

  •  23 Jun 2003 15:02

Release Notes: There is a fix for NPTL threading mechanisms, minor corrections, chkrootkit, a new test (vdir), detection of the worms 55808.A and TC2, and detection of the rootkits Volc, Gold2, Anonoying, Suckit (improved), and ZK (improved).

RSS Recent comments

07 Feb 2012 18:53 ratsg Thumbs up

is there an english version of the home page ::: or another online documentation page

13 Feb 2004 01:00 sree123

cpanel cgi-sys folder for back door checks
chkrootkit does not include /usr/local/cpanel/cgi-sys
while checking for back door cgi's

We need to edit chkrootkit
line 708
var/lib/httpd/cgi-bin usr/local/httpd/cgi-bin usr/local/apache/cgi-bin \
var/lib/httpd/cgi-bin usr/local/httpd/cgi-bin usr/local/apache/cgi-bin /usr/local/cpanel/cgi-sys \


Project Spotlight


An integrated solution for virtualization management.


Project Spotlight


A video conversion tool.