Chkrootkit: detection of rootkits in Linux systems

Posted on by BlockmyIP | Category: Programas Linux

Introduction

In the world of Linux server administration, security is a constant concern. Rootkits are one of the most stealthy types of malware, designed to hide their presence and allow unauthorized access to the system. Detecting them early can make the difference between a compromised server and one that remains secure. In this article we will explore Chkrootkit, a classic open‑source tool that helps administrators look for signs of rootkits on their systems.

What is Chkrootkit?

Chkrootkit (Check Rootkit) is a shell script that runs a series of tests to identify common characteristics of known rootkits. Initially developed in the late 1990s, it remains relevant thanks to its simplicity and the community that keeps its signatures up to date. The tool does not require complex installation; it is enough to download it, optionally compile it, and run it with root privileges.

How Chkrootkit Works

The script checks various indicators, such as the presence of modified binaries, suspicious kernel modules, hidden files in typical rootkit directories, and changes in the system call table. Each test returns a result of “not infected”, “possibly infected”, or “infected”. At the end, Chkrootkit displays a summary that allows the administrator to decide whether a deeper investigation is needed.

Installation on Popular Distributions

In most Linux distributions, Chkrootkit is available in the official repositories. For example, on Debian or Ubuntu it can be installed with:

  • sudo apt update
  • sudo apt install chkrootkit

On RHEL‑based systems such as CentOS or Fedora, the package is available in EPEL:

  • sudo yum install epel-release
  • sudo yum install chkrootkit

If you prefer the latest version directly from the source code, you can download it from the official site, extract the archive, and run make sense to compile.

Basic Usage

Once installed, running Chkrootkit is as simple as:

  • sudo chkrootkit

The command requires root privileges to access system files and kernel modules. Execution can take several minutes, depending on the hardware and the number of files to inspect. When it finishes, you will see an on‑screen output that lists each test performed and its status.

Interpreting the Results

The results are classified into three categories:

  • NOT INFECTED: the test found no signs of compromise.
  • POSSIBLY INFECTED: something suspicious was detected that requires manual review.
  • INFECTED: a firm match with a known rootkit pattern was found.

It is important not to panic over a “possibly infected” result; some false positives can appear due to legitimate configurations or security software that modifies the system. In those cases, it is recommended to compare the output with updated signature databases or use complementary tools such as rkhunter or Lynis.