chkrootkit -- locally checks for signs of a rootkit

chkrootkit is a tool to locally check for signs of a rootkit. It contains:

chkrootkit: shell script that checks system binaries for rootkit modification.
ifpromisc.c: checks if the interface is in promiscuous mode.
chklastlog.c: checks for lastlog deletions.
chkwtmp.c: checks for wtmp deletions.
check_wtmpx.c: checks for wtmpx deletions. (Solaris only)
chkproc.c: checks for signs of LKM trojans.
chkdirs.c: checks for signs of LKM trojans.
strings.c: quick and dirty strings replacement.
chkutmp.c: checks for utmp deletions.

Chkrootkit is listed in the "Top 100 Network Security Tools" survey, 2006 edition, released by Insecure.Org. We would like to thank all people who voted for chkrootkit as their favourite tool!

What's New

chkrootkit 0.53 is now available! (Release Date: Feb 11 2019)

This version includes:

chkrootkit
- Rocke Monero Miner detection
- Added ss (netstat update command) support
- ifconfig.c bug fix
- Minor bug fixes

Tests performed and rootkits detected

The following tests are made:

aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper slapper z2 chkutmp OSX_RSPLUG amd basename biff chfn chsh cron crontab date du dirname echo egrep env find fingerd gpm grep hdparm su ifconfig inetd inetdconf identd init killall ldsopreload login ls lsof mail mingetty netstat named passwd pidof pop2 pop3 ps pstree rpcinfo rlogind rshd slogin sendmail sshd syslogd tar tcpd tcpdump top telnetd timed traceroute vdir w write

The following rootkits, worms and LKMs are currently detected:

01. lrk3, lrk4, lrk5, lrk6 (and variants);	02. Solaris rootkit;	03. FreeBSD rootkit;
04. t0rn (and variants);	05. Ambient's Rootkit (ARK);	06. Ramen Worm;
07. rh[67]-shaper;	08. RSHA;	09. Romanian rootkit;
10. RK17;	11. Lion Worm;	12. Adore Worm;
13. LPD Worm;	14. kenny-rk;	15. Adore LKM;
16. ShitC Worm;	17. Omega Worm;	18. Wormkit Worm;
19. Maniac-RK;	20. dsc-rootkit;	21. Ducoci rootkit;
22. x.c Worm;	23. RST.b trojan;	24. duarawkz;
25. knark LKM;	26. Monkit;	27. Hidrootkit;
28. Bobkit;	29. Pizdakit;	30. t0rn v8.0;
31. Showtee;	32. Optickit;	33. T.R.K;
34. MithRa's Rootkit;	35. George;	36. SucKIT;
37. Scalper;	38. Slapper A, B, C and D;	39. OpenBSD rk v1;
40. Illogic rootkit;	41. SK rootkit.	42. sebek LKM;
43. Romanian rootkit;	44. LOC rootkit;	45. shv4 rootkit;
46. Aquatica rootkit;	47. ZK rootkit;	48. 55808.A Worm;
49. TC2 Worm;	50. Volc rootkit;	51. Gold2 rootkit;
52. Anonoying rootkit;	53. Shkit rootkit;	54. AjaKit rootkit;
55. zaRwT rootkit;	56. Madalin rootkit;	57. Fu rootkit;
58. Kenga3 rootkit;	59. ESRK rootkit;	60. rootedoor rootkit;
61. Enye LKM;	62. Lupper.Worm;	63. shv5;
64. OSX.RSPlug.A;	65. Linux Rootkit 64Bit;	66. Operation Windigo;
67. Mumblehard backdoor/botnet;	68. Linux.Xor.DDoS Malware;	69. Backdoors.linux.Mokes.a;
70. Linux.Proxy.10	71. Rocke Monero Miner

chkrootkit has been tested on: Linux 2.0.x, 2.2.x, 2.4.x and 2.6.x, FreeBSD 2.2.x, 3.x, 4.x, 5.x, 7.x and 10.x, OpenBSD 2.x, 3.x, 4.x and 5.x., NetBSD 1.6.x, Solaris 2.5.1, 2.6, 8.0 and 9.0, HP-UX 11, Tru64, BSDI and Mac OS X.

Are you looking for a secure web host that supports chkrootkit? HostGator is an affordable option as you can save up to 75% off with this HostGator coupon. They provide all kinds of web hosting including shared hosting, WordPress-optimized hosting, VPS, and even dedicated servers.

Going on holiday needn't need expensive, as long as you book well in advance. A lot of airlines now offer Airmiles or give discount codes out, such as here for TUI. It often pays to look around first and not just rush in and book!

More details can be found on the chkrootkit's README.

Support us:

If you enjoy our work, please consider supporting Chkrootkit at Patreon
Use this currency converter if paying via other currencies

Term paper writing help from 123 Term Papers is available for college and graduate students round-the-clock.

Looking for someone who can «do my homework»? Get assignment help at Myhomeworkdone.com

WebTrafficGeeks.org - The Best Website to Purchase Quality Web Traffic

Offers you quality, inexpensive, targeted site traffic. Visit Ultimatewebtraffic.com

FIND the Perfect Software Alternatives! Visit Alternatives.co

Tools, hardware and DIY Projects for the handyman - ToolTally.com

Simpli Insurance provides term life insurance for Canadians, get a life insurance quote today!

SeoWebsiteTraffic.Net offers you quality, inexpensive, targeted site traffic.
The best site to buy website traffic .

Contacting the Authors

LoadView: on-demand load testing via real browsers.
Stress test your website, web-apps, mobile and API instantly with our cloud-based load testing tools. Load Testing Provided by LoadView

Please send comments, new rootkits, questions and bug reports to Nelson Murilo <nelson@pangeia.com.br> (main author) and Klaus Steding-Jessen <jessen@cert.br> (co-author).