[chkrootkit: kicking script kiddies' asses since 1997]

locally checks for signs of a rootkit

chkrootkit is a tool to locally check for signs of a rootkit. It contains:

  • chkrootkit: shell script that checks system binaries for rootkit modification.
  • ifpromisc.c: checks if the interface is in promiscuous mode.
  • chklastlog.c: checks for lastlog deletions.
  • chkwtmp.c: checks for wtmp deletions.
  • check_wtmpx.c: checks for wtmpx deletions. (Solaris only)
  • chkproc.c: checks for signs of LKM trojans.
  • chkdirs.c: checks for signs of LKM trojans.
  • strings.c: quick and dirty strings replacement.
  • chkutmp.c: checks for utmp deletions.

Chkrootkit is listed in the "Top 100 Network Security Tools" survey, 2006 edition, released by Insecure.Org. We would like to thank all people who voted for chkrootkit as their favourite tool!

What's New

chkrootkit 0.48 is now available! (Release Date: Mon Dec 17 2007) This version includes:

  • chkrootkit
    • new tests: common SSH brute force scanners, suspicious PHP files
    • enhanced tests: login, netstat, top, backdoor
    • some minor bug fixes

chkrootkit-m 0.2 for mobile phones is now available! (Release Date: Mon Dec 17 2007) This version includes:

  • chkrootkit-m
    • chkrootkit Python port for mobile phones
    • tests: Cabir A-E Variants, Lasco, Skulls, Comwar.C, Comwar.Q, Acallno.A, Cardblock.A, Mopofeli.A, SingleJump.C
    • still in alpha stage

Tests performed and rootkits detected

The following tests are made:

  • aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper slapper z2 chkutmp amd basename biff chfn chsh cron crontab date du dirname echo egrep env find fingerd gpm grep hdparm su ifconfig inetd inetdconf identd init killall ldsopreload login ls lsof mail mingetty netstat named passwd pidof pop2 pop3 ps pstree rpcinfo rlogind rshd slogin sendmail sshd syslogd tar tcpd tcpdump top telnetd timed traceroute vdir w write

The following rootkits, worms and LKMs are currently detected:

01. lrk3, lrk4, lrk5, lrk6 (and variants); 02. Solaris rootkit; 03. FreeBSD rootkit;
04. t0rn (and variants); 05. Ambient's Rootkit (ARK); 06. Ramen Worm;
07. rh[67]-shaper; 08. RSHA; 09. Romanian rootkit;
10. RK17; 11. Lion Worm; 12. Adore Worm;
13. LPD Worm; 14. kenny-rk; 15. Adore LKM;
16. ShitC Worm; 17. Omega Worm; 18. Wormkit Worm;
19. Maniac-RK; 20. dsc-rootkit; 21. Ducoci rootkit;
22. x.c Worm; 23. RST.b trojan; 24. duarawkz;
25. knark LKM; 26. Monkit; 27. Hidrootkit;
28. Bobkit; 29. Pizdakit; 30. t0rn v8.0;
31. Showtee; 32. Optickit; 33. T.R.K;
34. MithRa's Rootkit; 35. George; 36. SucKIT;
37. Scalper; 38. Slapper A, B, C and D; 39. OpenBSD rk v1;
40. Illogic rootkit; 41. SK rootkit. 42. sebek LKM;
43. Romanian rootkit; 44. LOC rootkit; 45. shv4 rootkit;
46. Aquatica rootkit; 47. ZK rootkit; 48. 55808.A Worm;
49. TC2 Worm; 50. Volc rootkit; 51. Gold2 rootkit;
52. Anonoying rootkit; 53. Shkit rootkit; 54. AjaKit rootkit;
55. zaRwT rootkit; 56. Madalin rootkit; 57. Fu rootkit;
58. Kenga3 rootkit; 59. ESRK rootkit; 60. rootedoor rootkit;
61. Enye LKM; 62. Lupper.Worm; 63. shv5;

chkrootkit has been tested on: Linux 2.0.x, 2.2.x, 2.4.x and 2.6.x, FreeBSD 2.2.x, 3.x, 4.x and 5.x, OpenBSD 2.x, 3.x and 4.x., NetBSD 1.6.x, Solaris 2.5.1, 2.6, 8.0 and 9.0, HP-UX 11, Tru64, BSDI and Mac OS X.

More details can be found on the chkrootkit's README.

Mailing List

To subscribe:

echo "subscribe users your email" | mail majordomo@chkrootkit.org

The online archive of this mailing list is located at The Mailing list ARChives (MARC).

Contacting the Authors

Please send comments, new rootkits, questions and bug reports to Nelson Murilo <nelson@pangeia.com.br> (main author) and Klaus Steding-Jessen <jessen@cert.br> (co-author).

Valid
XHTML 1.0! Valid CSS!
$Date: 2007/12/17 21:49:29 $