How to use the chkrootkit command.Linux Tips

Rootkits pose a significant threat to the security of Linux systems. These stealthy pieces of malware can compromise the integrity of your system by providing unauthorized access to attackers. However, with the right tools and knowledge, you can detect and mitigate these threats effectively. One such tool is chkrootkit, a command-line utility designed to scan your system for signs of rootkit activity.

What is chkrootkit?

Chkrootkit is a free and open-source tool specifically developed for Linux systems. It works by scanning various parts of your system, including system binaries, libraries, and kernel modules, to detect any anomalies that may indicate the presence of a rootkit.

Understanding Rootkits and Their Threats

Before diving into how to use chkrootkit, it’s essential to understand what rootkits are and the dangers they pose. Rootkits are malicious software designed to gain privileged access to a computer while remaining undetected. Once installed, they can execute arbitrary commands, steal sensitive information, and even control the entire system remotely.

Installation of chkrootkit

Installing chkrootkit on your Linux system is a straightforward process. Most Linux distributions include chkrootkit in their package repositories, making it easy to install using package management tools like apt, yum, or dnf.

To install chkrootkit on Debian-based systems like Ubuntu, you can use the following command:

sudo apt-get install chkrootkit

For Red Hat-based systems like CentOS or Fedora, you can install chkrootkit with:

sudo yum install chkrootkit

Basic Usage of chkrootkit

Once installed, using chkrootkit is simple. Open a terminal window and type the following command:

sudo chkrootkit

This command will initiate a system-wide scan, checking for signs of rootkit activity. Depending on the size of your system and the number of files to scan, the process may take several minutes to complete.

Performing a System Scan with chkrootkit

During the scan, chkrootkit examines critical system files and directories for known signatures of rootkits. It checks for suspicious filenames, hidden processes, and abnormal network connections. If any potential threats are detected, chkrootkit will display a warning message indicating the possible presence of a rootkit.

Interpreting chkrootkit Results

After the scan is complete, it’s essential to carefully review the output generated by chkrootkit. Pay close attention to any suspicious findings, such as hidden files or directories, unexpected network connections, or altered system binaries. While some findings may be false positives, others could indicate a genuine security threat that requires further investigation.

Advanced Usage Options

Chkrootkit offers advanced options for customizing the scanning process to better suit your needs. You can specify additional directories to include or exclude from the scan, configure logging settings to record scan results, and even integrate chkrootkit with other security tools for enhanced protection.

Additional Security Measures

In addition to using chkrootkit, it’s crucial to implement other security best practices to safeguard your Linux system effectively. This includes keeping your system and software up to date, applying security patches promptly, and restricting user privileges to minimize the risk of unauthorized access.

Automating chkrootkit Scans

To ensure continuous protection against rootkit threats, consider automating regular scans with chkrootkit. You can set up scheduled scans using cron jobs or other task scheduling utilities to run chkrootkit at predefined intervals. By automating the scanning process, you can detect and respond to potential threats more efficiently.

Troubleshooting Common Issues

If you encounter any issues while using chkrootkit, such as scan errors or compatibility problems, don’t hesitate to seek assistance from the Linux community. Forums, mailing lists, and online documentation are valuable resources for troubleshooting and resolving technical issues related to chkrootkit.

Best Practices for Using chkrootkit

To maximize the effectiveness of chkrootkit and minimize the risk of false positives, follow these best practices:

  • Regular Scan Frequency: Perform regular scans with chkrootkit to detect and mitigate rootkit threats proactively.
  • Precautions During System Scans: Avoid running other resource-intensive tasks during chkrootkit scans to ensure accurate results.
  • Incorporating chkrootkit into Security Routines: Integrate chkrootkit into your regular security routines to maintain a secure and reliable Linux environment.

Alternatives to chkrootkit

While chkrootkit is a popular and effective tool for detecting rootkits on Linux systems, several alternative solutions are available. Examples include rkhunter (Rootkit Hunter), Lynis, and OSSEC (Open Source Host-based Intrusion Detection System). Each tool has its strengths and weaknesses, so it’s essential to research and choose the one that best meets your specific requirements.

Real-World Scenarios and Examples

To illustrate the practical use of chkrootkit, consider the following real-world scenarios:

  • Case Studies of Rootkit Detection: Explore documented cases where chkrootkit successfully detected and removed rootkit infections from Linux systems.
  • Success Stories with chkrootkit: Hear from users who have effectively used chkrootkit to enhance the security of their Linux environments.
  • Lessons Learned from Real-World Incidents: Learn from real-world incidents where failure to detect rootkit threats led to security breaches and data loss.


  1. How often should I run chkrootkit scans?
    • It’s recommended to run chkrootkit scans regularly, ideally on a weekly or monthly basis, to detect and mitigate rootkit threats proactively.
  2. Can chkrootkit detect all types of rootkits?
    • While chkrootkit is effective at detecting many common rootkit signatures, it’s not guaranteed to detect every type of rootkit. It’s essential to complement chkrootkit with other security measures for comprehensive protection.
  3. What should I do if chkrootkit detects a potential threat?
    • If chkrootkit detects a potential rootkit threat, take immediate action to investigate and remediate the issue. This may involve isolating the affected system, removing the rootkit, and implementing additional security measures to prevent future incidents.
  4. Is chkrootkit compatible with all Linux distributions?
    • Chkrootkit is designed to work with most Linux distributions. However, compatibility may vary depending on the specific version and configuration of your system. It’s recommended to consult the documentation or community resources for guidance on using chkrootkit with your distribution.
  5. Can I use chkrootkit alongside other security software?
    • Yes, chkrootkit can be used alongside other security software to provide additional layers of protection against rootkit threats. However, be mindful of potential conflicts or performance issues that may arise from running multiple security tools simultaneously.


In conclusion, chkrootkit is a valuable tool for detecting and mitigating rootkit threats on Linux systems. By following best practices, such as performing regular scans, implementing additional security measures, and staying informed about emerging threats, you can effectively protect your Linux environment from unauthorized access and malicious activity.