chkrootkit

LSE toolsLSE toolschkrootkit (162)chkrootkit (162)

Tool and Usage

chkrootkit is a malware scanner to locally check for signs of a rootkit. It is written in shell script and runs on the host system itself.

Introduction

The chkrootkit tool consists of multiple parts that may detect the presence of rootkit parts of rootkit behavior on a system.

Some areas that are checked include:

  • interface in promiscuous mode
  • lastlog deletions
  • wtmp deletions
  • wtmpx deletions
  • signs of LKM trojans
  • utmp deletions

Why this tool?

Chkrootkit is typically used to perform daily security scans to detect traces of malware.

How it works

Tools like chkrootkit compare actual behavior with the expected behavior of a system. For example, the tool may look at the list of processes with a common utility like the ps command. During that same moment, it queries the kernel and requests the same information. If there are any differences, this is suspected and marked as such.

Usage and audience

This tool is categorized as a Linux malware detection tool.

chkrootkit is commonly used during malware scan. Target users for this tool are system administrators.

Features

  • chkrootkit is written in C, shell script
  • Command line interface

Tool review

The review and analysis of this project resulted in the following remarks for this security tool:

Strengths

  • + Used language is shell script
  • + Project is mature (10+ years)

Weaknesses

  • - Long time between releases

History and highlights

  • Demoed at Black Hat USA 2017

Author and Maintainers

Chkrootkit is under development by Klaus Steding-Jessen, Nelson Murilo.

Installation

Support operating systems

Chkrootkit is known to work on FreeBSD, Linux, macOS, NetBSD, OpenBSD, and Solaris.

chkrootkit alternatives

Several alternative tools are available for chkrootkit that might be a good replacement.

83

Rootkit Hunter

Security tool to search for traces of rootkits, backdoors, and other malicious components on systems running Linux and other flavors of Unix

Best alternative [100]
81

OSSEC

OSSEC is an open source host-based intrusion detection system (HIDS). It performs log analysis, integrity checking, rootkit detection, and more.

More alternative tools for chkrootkit

This tool page was recently updated. Found an improvement? Become an influencer and submit an update.
Project details
Latest release0.52 [2017-03-15]
License(s)Custom license
Last updatedSept. 17, 2017

Project health

74
This score is calculated by different factors, like project age, last release date, etc.

Links

 chkrootkit website

Compare chkrootkit with other tools

Related terms