.TH chkrootkit 8 "Oct 23, 2021" .SH NAME chkrootkit \- Scan the system for signs of rootkits .SH SYNOPSIS .B chkrootkit .RI [ OPTION ]...\ [ TESTNAME ]... .SH DESCRIPTION .B chkrootkit examines the target system for signs that it has been tampered with. Some tools which .B chkrootkit uses can be found in .IR /usr/lib/chkrootkit . .SH OPTIONS Unlike usual programmes, options cannot be 'combined', so you cannot need to write .RB ' \-q\ \-n ' instead of .RB ' \-qn ' .TP .B \-q Enter quiet mode. This suppresses output of tests that find nothing suspicious. .TP .B \-x Enter expert mode. This makes many tests produces additional output showing what they have found. .TP .B \-d Enter debug mode. This shows exactly what chkrootkit is doing at every step (it includes running chkrootkit with .RB ' set\ \-x '). .TP .RI \fB\-e\ \&" FILE1 [\ FILE2 ...] \fB\&" Exclude listed files from the results of some tests. The list should be pace-separated (which will generally require quoting when run from a shell. You can also specify .B \-e several times). Use this to remove false positives from the result of many tests - see .IR /usr/share/doc/chkrootkit/README.FALSE-POSITIVES . .TP .BI \-s\ REGEXP Similar to .B \-e but only applies to the result of the sniffer test. This test will flag standard network managers like .BR systemd-networkd (1),\ NetworkManager (1)\ or\ wpa_supplicant (1) as .B PACKET\ SNIFFER s, and you can remove such messages from the output with something like .BR chkrootkit\ \-s\ '(systemd-netword|NetworkManager|wpa_supplicant)' , where the argument lists whicher managers you expect to be present. The argument can be any regular expression understood by .BR egrep (1). .TP .RI \fB\-p\ DIR1 [: DIR2 ...] Specify an alternative .IR $PATH . .B chkrootkit assumes that standard programmes, like .IR find (1) .RI and grep (1), are uncompromised. The intention is that you place trusted copies where they cannot be modified and invoke with something like .B chkrootkit\ \-p\ /media/usb . .TP .B \-r .I DIR Use .I DIR as the root directory. For example, you might mount a disk on an uncompromised system and run .BI chkrootkit \-r /mnt . .TP .B \-n make some tests ignore NFS-mounted directories. .TP .B \-l Print available tests. These are the following: .RS aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper slapper z2 chkutmp OSX_RSPLUG amd basename biff chfn chsh cron crontab date du dirname echo egrep env find fingerd gpm grep hdparm su ifconfig inetd inetdconf identd init killall ldsopreload login ls lsof mail mingetty netstat named passwd pidof pop2 pop3 ps pstree rpcinfo rlogind rshd slogin sendmail sshd syslogd tar tcpd tcpdump top telnetd timed traceroute vdir w write .RE .TP .B \-h Print a short help message and exit. .TP .B \-V Print version information and exit. .SH "AUTHOR" Manual page written by Yotam Rubin .I , Marcos Fouces .I and lantz moore .I for the Debian project. It may be used by others. .SH SEE ALSO .BR strings (1) .BR chklastlog (8) .BR chkwtmp (8)