chkrootkit(8)
Scans the system for signs of rootkit infection and suspicious files.
Synopsis
chkrootkit [-h] [-V] [-l] [-d] [-q] [-x] [-r ROOTDIR] [TESTS]Description
chkrootkit is a shell script that locally scans for signs of a rootkit or other malicious software on a Linux system. It checks for suspicious files, processes, network connections, and kernel-level anomalies that typically indicate system compromise.
The tool examines system binaries, looks for hidden processes, checks for sniffer interfaces, and searches for known rootkit signatures in common system locations. Results are printed with color-coded output indicating what was found (infected, not found, or clean).
Common options
| Flag | What it does |
|---|---|
-h | display help message and exit |
-V | print version number and exit |
-l | list available tests without running them |
-d | debug mode; shows verbose output during scanning |
-q | quiet mode; only show warnings and infected files |
-x | use chkdirs, chkfiles, and strings checks; slower but more thorough |
-r ROOTDIR | scan alternate filesystem root instead of / (useful for mounted partitions) |
-e TESTNAME | exclude a specific test from running |
Examples
Run a complete rootkit scan with default settings
sudo chkrootkitScan quietly, showing only suspicious files and warnings
sudo chkrootkit -qList all available tests without executing them
sudo chkrootkit -lScan an external or mounted filesystem at /mnt/external
sudo chkrootkit -r /mnt/externalRun with debug output and save results to a log file
sudo chkrootkit -d 2>&1 | tee scan.logRun thorough scan and show only lines matching INFECTED
sudo chkrootkit -x | grep INFECTED