Scroll to navigation

chkrootkit(8) System Manager's Manual chkrootkit(8)


chkrootkit - Determine whether the system is infected with a rootkit


chkrootkit [OPTION]... [TESTNAME]...


chkrootkit examines certain elements of the target system and determines whether they have been tampered with. Some tools which chkrootkit applies while analyzing binaries and log files can be found at /usr/lib/chkrootkit.


Print a short help message and exit.
Print version information and exit.
Print available tests. Currently, these are the following:
aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper slapper z2 chkutmp OSX_RSPLUG amd basename biff chfn chsh cron crontab date du dirname echo egrep env find fingerd gpm grep hdparm su ifconfig inetd inetdconf identd init killall ldsopreload login ls lsof mail mingetty netstat named passwd pidof pop2 pop3 ps pstree rpcinfo rlogind rshd slogin sendmail sshd syslogd tar tcpd tcpdump top telnetd timed traceroute vdir w write
Enter debug mode.
Enter expert mode.
Exclude known false positive files/dirs, quoted, space separated.
Enter quiet mode.
Use dir as the root directory.
Specify the path for the external commands used by chkrootkit.
skip NFS mounted dirs
exclude known positives. Quoted white space separated list of files/dirs. Read /usr/share/doc/chkrootkit/README.FALSE-POSITIVES previously.
exclude known false positive sniffer (dhcpd, ntop etc) quoted, space separated. Please, read /usr/share/doc/chkrootkit/README.FALSE-POSITIVES previously.


Manual page written by Yotam Rubin <>, Marcos Fouces <> and lantz moore <> for the Debian project. It may be used by others.



10 January 2003