scanning for rootkits on linux with chkrootkit
A walkthrough of using chkrootkit to scan a Linux host for known rootkit signatures.
What it is
chkrootkit is a small collection of shell and C programs that look for known signs of rootkit infection on a Linux system. It checks core utilities (ps, ls, ifconfig, netstat) against known patterns of tampering, looks for suspicious modifications in login services, and watches for the kinds of changes a loadable kernel module rootkit would make.
It is not a full EDR. It is a quick, lightweight check that should run regularly as a baseline.
Installing
On Debian or Ubuntu:
1
2
sudo apt update
sudo apt install chkrootkit
No configuration is needed. The default ruleset is what almost everyone uses.
Running a scan
1
sudo chkrootkit
A clean run produces output like:
1
2
3
Checking 'sshd'... not infected
Checking 'ifconfig'... not infected
Checking 'login'... not infected
When something looks wrong, the output flags it explicitly:
1
Warning: Possible LKM Trojan installed
That kind of warning is a starting point, not a verdict. False positives happen with chkrootkit (it has a reputation for them), so any hit needs corroboration before you treat the host as compromised. Pair it with rkhunter, AIDE for file integrity, and your own knowledge of what was recently changed.
Where it fits
This is one tool in a layered host-security setup. It does not replace endpoint protection, it does not catch novel rootkits that do not match its signatures, and it does not give you forensics. What it does give you is a regular, scriptable check that takes seconds to run and flags the obvious cases.
For a homelab or a small fleet, that is genuinely useful. It is the smoke alarm, not the fire department.
Running it on a schedule
A weekly cron entry that logs to a dated file:
1
@weekly root chkrootkit > /var/log/chkrootkit-$(date +\%F).log
The \% is escaped because cron treats % as a line separator. The resulting logs are easy to diff over time, which is more useful than the individual scans on their own; the question is rarely “is anything wrong right now” and more often “what changed since last week”.