LSE toolsLSE toolschkrootkit (313)chkrootkit (313)

Tool and Usage

chkrootkit is a malware scanner to locally check for signs of a rootkit. It is written in shell script and runs on the host system itself.


The chkrootkit tool consists of multiple parts that may detect the presence of rootkit parts of rootkit behavior on a system.

Some areas that are checked include:

  • interface in promiscuous mode
  • lastlog deletions
  • wtmp deletions
  • wtmpx deletions
  • signs of LKM trojans
  • utmp deletions

Why this tool?

Chkrootkit is typically used to perform daily security scans to detect traces of malware.

How it works

Tools like chkrootkit compare actual behavior with the expected behavior of a system. For example, the tool may look at the list of processes with a common utility like the ps command. During that same moment, it queries the kernel and requests the same information. If there are any differences, this is suspected and marked as such.

Usage and audience

This tool is categorized as a Linux malware detection tool and Linux rootkit scanner.

chkrootkit is commonly used for malware detection or malware scanning. Target users for this tool are system administrators.


  • chkrootkit is written in C, shell script
  • Command line interface

Tool review and remarks

The review and analysis of this project resulted in the following remarks for this security tool:


  • + Used language is shell script
  • + Project is mature (10+ years)


  • - Long time between releases

History and highlights

  • Demoed at Black Hat USA 2017

Author and Maintainers

Chkrootkit is under development by Klaus Steding-Jessen, Nelson Murilo.


Supported operating systems

Chkrootkit is known to work on FreeBSD, Linux, macOS, NetBSD, OpenBSD, and Solaris.

chkrootkit alternatives

Several alternative tools are available that might be a good replacement for chkrootkit.


Rootkit Hunter

Security tool to search for traces of rootkits, backdoors, and other malicious components on systems running Linux and other flavors of Unix

Best alternative


OSSEC is an open source host-based intrusion detection system (HIDS). It performs log analysis, integrity checking, rootkit detection, and more.

All alternatives for chkrootkit

This tool page was recently updated. Found an improvement? Become an influencer and submit an update.
Project details
Latest release0.52 [2017-03-15]
LicenseCustom license
Last updatedApril 18, 2018

Project health

This score is calculated by different factors, like project age, last release date, etc.


 chkrootkit website

Compare chkrootkit with other tools

Related terms