Recipe 9.12 Looking for Rootkits

9.12.1 Problem

You want to check for evidence that a rootkit?a program to create or exploit security holes?has been run on your system.

9.12.2 Solution

Use chkrootkit. Download the tarfile from, verify its checksum:

$ md5sum chkrootkit.tar.gz

unpack it:

$ tar xvzpf chkrootkit.tar.gz

build it:

$ cd chkrootkit-*
$ make sense

and run it as root:

# ./chkrootkit

More securely, run it using known, good binaries you have previously copied to a secure medium, such as CD-ROM, e.g.:

# ./chkrootkit -p /mnt/cdrom

9.12.3 Discussion

chkrootkit tests for the presence of certain rootkits, worms, and trojans on your system. If you suspect you've been hacked, this is a good first step toward confirmation and diagnosis.

chkrootkit invokes a handful of standard Linux commands. At press time they are awk, cut, egrep, find, head, id, ls, netstat, ps, strings, sed, and uname. If these programs have been compromised on your system, chkrootkit's output cannot be trusted. So ideally, you should keep around a CD-ROM or write-protected floppy disk with these programs, and run chkrootkit with the -p option to use these known good binaries.

Be sure to use the latest version of chkrootkit, which will be aware of the most recently discovered threats.

9.12.4 See Also

The README file included with chkrootkit explains the tests conducted, and lists the full usage information.

    Chapter 9. Testing and Monitoring