In this Linux tip, we’re going to look at the chkrootkit
command. It’s a command that will examine your system for rootkits -- generally malicious software that enables unauthorized access to a system.
To install chkrootkit on Ubuntu/Debian you can use command
sudo apt install chkrootkit
To run chkrootkit
, you have to be root or use sudo
. Expect to see a lot of output.
jacob@hostname:~$ sudo chkrootkit ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `crontab'... not infected Checking `date'... not infected Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected Checking `egrep'... not infected Checking `env'... not infected Checking `find'... not infected Checking `fingerd'... not found Checking `gpm'... not found Checking `grep'... not infected Checking `hdparm'... not infected Checking `su'... not infected Checking `ifconfig'... not infected Checking `inetd'... not infected Checking `inetdconf'... not found Checking `identd'... not found Checking `init'... not infected ...
Most of it will look like these lines -- indicating that no problems were found: To focus on just the warnings, you can run in quiet mode by using the -q
option. In that case, you’ll see only the suspicious results. In this output, we see some directories that the tool sees as suspicious, but this is only because of directories start with dots – as if they’re intended to be hidden. In the case of the lines starting with exclamation points, both of the reported items are being highlighted because the associated terminals (ttys) were not found in /var/run/utmp
which tracks logins. This simply means that the user is not currently logged in and, seeing that the user in this case is the display manager, that’s no surprise.
So, all of these reports are false positives. Good for me! I hope you have similar results. That’s your Linux tip for the chkrootkit
command. If you have questions or would like to suggest a topic, please add a comment below.
No comments yet