Tool and Usage
|Programming languages||C, shell script|
|Author||Klaus Steding-Jessen, Nelson Murilo|
|Latest release||0.52 |
The chkrootkit tool consists of multiple parts that may detect the presence of rootkit parts of rootkit behavior on a system.
Some areas that are checked include:
- interface in promiscuous mode
- lastlog deletions
- wtmp deletions
- wtmpx deletions
- signs of LKM trojans
- utmp deletions
Why this tool?
Chkrootkit is typically used to perform daily security scans to detect traces of malware.
How it works
Tools like chkrootkit compare actual behavior with the expected behavior of a system. For example, the tool may look at the list of processes with a common utility like the ps command. During that same moment, it queries the kernel and requests the same information. If there are any differences, this is suspected and marked as such.
Usage and audience
chkrootkit is commonly used for malware detection or malware scanning. Target users for this tool are system administrators.
- Command line interface
Tool review and remarks
The review and analysis of this project resulted in the following remarks for this security tool:
- + Used language is shell script
- + Project is mature (10+ years)
- - Long time between releases
History and highlights
- Demo at Black Hat USA 2017 Arsenal
Supported operating systems
Chkrootkit is known to work on FreeBSD, Linux, macOS, NetBSD, OpenBSD, and Solaris.
Similar tools to chkrootkit:
Security tool to search for traces of rootkits, backdoors, and other malicious components on systems running Linux and other flavors of Unix
ClamAV is an open source antivirus engine. It can detect malicious software (malware) like trojans, viruses, backdoors and other related threats.
Linux Malware Detect (LMD) is a malware scanner for systems running Linux. The open source software project is released with the GPLv2 license.
Found an improvement? Help the community by submitting an update.