Linux Detecting / Checking Rootkits with Chkrootkit and rkhunter Software

Q. Most rootkits use the power of the kernel to hide themselves, they are only visible from within the kernel. How do I detect rootkits under CentOS or Debian Linux server?

A.. A rootkit is a program (or combination of several programs) designed to take fundamental control (in Unix terms “root” access, in Windows terms “Administrator” access) of a computer system, without authorization by the system’s owners and legitimate managers.

ADVERTISEMENTS

Detecting rootkits under Linux

You can try the following tools to detect Linux rootkits:

WARNING! These examples should run from Live CD (Linux Live Security CD) for the best result.

Zeppoo Software

Zeppoo – Zeppoo allows you to detect rootkits on i386 and x86_64 architecture under Linux, by using /dev/kmem and /dev/mem. Moreover it can also detect hidden tasks, connections, corrupted symbols, system calls and so many other things. Download source code here

Chkrootkit Software

Chkrootkit – chkrootkit is a tool to locally check for signs of a rootkit. Type the following command to install chkrootkit
$ sudo apt-get install chkrootkit
Start looking for rootkits, enter:
$ sudo chkrootkit
Look for suspicious strings, enter:
$ sudo chkrootkit -x | less
You need to specify the path for the external commands used by chkrootkit such as awk, grep and others. Mount /mnt/safe using nfs in read-only mode and set /mnt/safe binaries PATH as trusted one, enter:
$ sudo chkrootkit -p /mnt/safe

rkhunter software

rkhunter – rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. rkhunter is a shell script which carries out various checks on the local system to try and detect known rootkits and malware. It also performs checks to see if commands have been modified, if the system startup files have been modified, and various checks on the network interfaces, including checks for listening applications. Type the following command to install rkhunter:
$ sudo apt-get install rkhunter
The following command option tells rkhunter to perform various checks on the local system:
$ sudo rkhunter --check
The following command option causes rkhunter to check if there is a later version of any of its text data files:
$ sudo rkhunter --update
The following option tells rkhunter which directories to look in to find the various commands it requires:
$ sudo rkhunter --check --bindir /mnt/safe

Recommended readings:

  • man pages – rkhunter and chkrootkit
  • rkhunter Project home page
  • chkrootkit Project home page
🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
CategoryList of Unix and Linux commands
File Managementcat
FirewallCentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNCentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
9 comments… add one
  • Nulkarp Mar 12, 2010 @ 1:24

    Thank you, very good job

  • Dariusz Mar 17, 2010 @ 11:57

    I try to run zeppoo on Centos 5.3 to no avail

    [root@elc-url-vnp-10 zeppoo-0.0.4]# ./zeppoo -z FP
    Kernel : 2.6.18-164.11.1.el5
    Memory : /dev/kmem
    open kmem:: No such file or directory

    [root@elc-url-vnp-10 zeppoo-0.0.4]# ./zeppoo -r -d /dev/mem -m /dev/m -z FP
    Kernel : 2.6.18-164.11.1.el5
    Memory : /dev/mem
    mmap : Operation not permitted

  • Andrew Tappert Oct 4, 2012 @ 23:50

    A more sophisticated and effective solution for Linux rootkit detection is Second Look. It is a Linux memory forensics product that uses kernel and process integrity verification to detect stealthy kernel- and user-mode malware. It supports all distros running 2.6- and 3-series kernels on 32- or 64-bit x86 systems. A large, continuously updated repository of reference kernels and hashes of vendor-distributed software support the fully automatic verification process. Learn more about it at http://secondlookforensics.com/.

  • Andrew Tappert Oct 4, 2012 @ 23:51

    A more sophisticated and effective solution for Linux rootkit detection is Second Look. It is a Linux memory forensics product that uses kernel and process integrity verification to detect stealthy kernel- and user-mode malware. It supports all distros running 2.6- and 3-series kernels on 32- or 64-bit x86 systems. A large, continuously updated repository of reference kernels and hashes of vendor-distributed software support the fully automatic verification process. (Full disclosure: I am one of the developers of Second Look.)

  • qwertyuiop Jan 13, 2014 @ 13:17

    what is the reason to install the tool (sudo apt-get… ) on a system you already suspect infected ? Would be interesting to have instructions how to update/run it from a DVD or other nonwritable media

  • Elmar Stellnberger Apr 3, 2014 @ 0:13

    Unfortunately rkhunter and chkrootkit can not spot many rootkits as they are simply not in their database. However there are other ways in order to spot rootkits like f.i. online checksum verification as done by debcheckroot (http://www.elstel.org/debcheckroot/) which can even spot previously unknown rootkits.

  • Juan May 28, 2017 @ 2:51

    After downloading the files from chkrootkit.org, there is source code for chkdirs.c, chkproc.c, etc., but not for chkrootkit. Only the executable for chkrootkit is downloaded. How can we trust this? How do we know that chkrootkit is not infecting our Macs with key loggers?

  • Juan May 28, 2017 @ 13:32

    Who has reviewed the source code for all of the chkrootkit C programs, especially the script chkrootkit, to ensure that they arent doing infecting our computers with rootkits or key loggers?

  • Gaius Sep 19, 2017 @ 18:36

    You do realize that you must install rkhunter on a fresh install, before you do *anything*, right?
    rkhunter only checks for alterations and assumes that the system state at the time of installation is clean.
    So if you install it on a system which already has a rootkit, rkhunter will not detect it.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.