How to detect a Rootkit on your machine

A root kit is a collection of programs that intruders often install after they have compromised the root account of a system.
These programs will help the intruders clean up their tracks, as well as provide access back into the system.
Root kits will sometimes leave processes running so that the intruder can come back easily and without the system administrator’s knowledge.


chkrootkit V. 0.46a

Nelson Murilo [[email protected]] (main author)
Klaus Steding-Jessen [[email protected]] (co-author)

This program locally checks for signs of a rootkit.
chkrootkit is available at:

This tool includes software developed by the DFN-CERT, Univ. of Hamburg (chklastlog and chkwtmp), and small portions of ifconfig developed by Fred N. van Kempen, [[email protected]].

What’s chkrootkit?

chkrootkit is a tool to locally check for signs of a rootkit. It contains:

* chkrootkit: a shell script that checks system binaries for rootkit modification.

* ifpromisc.c: checks if the network interface is in promiscuous mode.

* chklastlog.c: checks for lastlog deletions.

* chkwtmp.c: checks for wtmp deletions.

* check_wtmpx.c: checks for wtmpx deletions. (Solaris only)

* chkproc.c: checks for signs of LKM trojans.

* chkdirs.c: checks for signs of LKM trojans.

* strings.c: quick and dirty strings replacement.

* chkutmp.c: checks for utmp deletions.

chkwtmp and chklastlog *try* to check for deleted entries in the wtmp
and lastlog files, but it is *not* guaranteed that any modification
will be detected.

Aliens tries to find sniffer logs and rootkit config files. It looks
for some default file locations — so it is also not guaranteed it
will succeed in all cases.

chkproc checks if /proc entries are hidden from ps and the readdir
system call. This could be the indication of a LKM trojan. You can
also run this command with the -v option (verbose).


DO NOT install chkrootkit on your system and simply run it periodically.
An attacker may simply find the installation and change it so that it doesn’t detect his presence.
Compile it and put it on removable or read-only media.

Download the Latest Source tarball (37140 bytes).
From shell run…

# wget

Then verify the tarball’s MD5 signature.
From shell run…

# md5sum verify chkrootkit.tar.gz

Use tar to… unzip the source code.
From shell run…

# tar -xzf chkrootkit.tar.gz

Compile chrootkit.Go into the directory that it created and type from shell…

# make sense

Run chkrootkit from the directory it was built in. From shell…

# ./chkrootkit

It will print each test that it performs and the result of the test:

ROOTDIR is `/’
Checking `amd’… not found
Checking `basename’… not infected
Checking `biff’… not found
Checking `chfn’… not infected
Checking `chsh’… not infected
Checking `cron’… not infected
Checking `date’… not infected
Checking `du’… not infected
Checking `dirname’… not infected
Checking `echo’… not infected
Checking `egrep’… not infected
Checking `env’… not infected
Checking `find’… not infected
Checking `fingerd’… not found
Checking `gpm’… not infected
Checking `grep’… not infected
chkutmp: nothing deleted

Not very interesting?

chrootkit can also be run on disks mounted in another machine, just specify the mount point for the partition with the -r option :

# ./chrootkit -r /mnt/hda2_image

If you are not infected it is a good time to make a copy of your disks.
Generate a checksum for the partition you wish to image, run from shell

# md5sum /dev/hdc2 > /tmp/hdc2.md5

To make the copy of the disk(s), we’ll use the dd command. From shell…

# dd if=/dev/hdc of=/tmp/hdc.img

You will need enough space in /tmp to hold a copy of the entire /dev/hdc drive.
This means that /tmp shouldn’t be a RAM disk and should not be stored on /dev/hdc.

Write it to another hard disk!