LSE toolsLSE toolschkrootkit (472)chkrootkit (472)

Tool and Usage

Project details

Custom license
Programming languages
C, shell script
Klaus Steding-Jessen
Nelson Murilo
Latest release
Latest release date

Project health

This score is calculated by different factors, like project age, last release date, etc.


The chkrootkit tool consists of multiple parts that may detect the presence of rootkit parts of rootkit behavior on a system.

Some areas that are checked include:

  • interface in promiscuous mode
  • lastlog deletions
  • wtmp deletions
  • wtmpx deletions
  • signs of LKM trojans
  • utmp deletions

Why this tool?

Chkrootkit is typically used to perform daily security scans to detect traces of malware.

How it works

Tools like chkrootkit compare actual behavior with the expected behavior of a system. For example, the tool may look at the list of processes with a common utility like the ps command. During that same moment, it queries the kernel and requests the same information. If there are any differences, this is suspected and marked as such.

Usage and audience

chkrootkit is commonly used for malware detection or malware scanning. Target users for this tool are system administrators.


  • Command line interface

Tool review and remarks

The review and analysis of this project resulted in the following remarks for this security tool:


  • + Used language is shell script
  • + Project is mature (10+ years)


  • - Long time between releases

History and highlights

  • Demo at Black Hat USA 2017 Arsenal

Author and Maintainers

Chkrootkit is under development by Klaus Steding-Jessen, Nelson Murilo.


Supported operating systems

Chkrootkit is known to work on FreeBSD, Linux, NetBSD, OpenBSD, Solaris, and macOS.

chkrootkit alternatives

Similar tools to chkrootkit:


Rootkit Hunter

Security tool to search for traces of rootkits, backdoors, and other malicious components on systems running Linux and other flavors of Unix



ClamAV is an open source antivirus engine. It can detect malicious software (malware) like trojans, viruses, backdoors and other related threats.



Linux Malware Detect (LMD) is a malware scanner for systems running Linux. The open source software project is released with the GPLv2 license.

All chkrootkit alternatives

This tool page was updated at . Found an improvement? Help the community by submitting an update.

Related tool information

Compare chkrootkit with other tools


This tool is categorized as a Linux malware detection tool and Linux rootkit scanner.