How to use the chkrootkit command. Linux Tips

In this Linux tip, we’re going to look at the chkrootkit command. It’s a command that will examine your system for rootkits -- generally malicious software that enables unauthorized access to a system.

To install chkrootkit on Ubuntu/Debian you can use command 

sudo apt install chkrootkit

To run chkrootkit, you have to be root or use sudo. Expect to see a lot of output.

jacob@hostname:~$ sudo chkrootkit
ROOTDIR is `/'
Checking `amd'...                                           not found
Checking `basename'...                                      not infected
Checking `biff'...                                          not found
Checking `chfn'...                                          not infected
Checking `chsh'...                                          not infected
Checking `cron'...                                          not infected
Checking `crontab'...                                       not infected
Checking `date'...                                          not infected
Checking `du'...                                            not infected
Checking `dirname'...                                       not infected
Checking `echo'...                                          not infected
Checking `egrep'...                                         not infected
Checking `env'...                                           not infected
Checking `find'...                                          not infected
Checking `fingerd'...                                       not found
Checking `gpm'...                                           not found
Checking `grep'...                                          not infected
Checking `hdparm'...                                        not infected
Checking `su'...                                            not infected
Checking `ifconfig'...                                      not infected
Checking `inetd'...                                         not infected
Checking `inetdconf'...                                     not found
Checking `identd'...                                        not found
Checking `init'...                                          not infected
...

Most of it will look like these lines -- indicating that no problems were found: To focus on just the warnings, you can run in quiet mode by using the -q option. In that case, you’ll see only the suspicious results. In this output, we see some directories that the tool sees as suspicious, but this is only because of directories start with dots – as if they’re intended to be hidden. In the case of the lines starting with exclamation points, both of the reported items are being highlighted because the associated terminals (ttys) were not found in /var/run/utmp which tracks logins. This simply means that the user is not currently logged in and, seeing that the user in this case is the display manager, that’s no surprise.

So, all of these reports are false positives. Good for me! I hope you have similar results. That’s your Linux tip for the chkrootkit command. If you have questions or would like to suggest a topic, please add a comment below.