Check for Rootkit in Linux

December 18, 2006
This article explains various ways of detecting rootkits in Linux.

What is a rootkit ?

A rootkit is a collection of tools a hacker installs on a victim's computer after gaining initial access. It generally consists of network sniffers, log-cleaning scripts, and trojaned replacements of core system utilities such as ps, netstat, ifconfig, and killall. Most times they are self-hiding toolkits used by blackhats, crackers and scriptkiddies, to avoid the eye of the sysadmin.

Programs that are used to detect rootkits are known as rootkit scanners. These programs scan your system on a periodic basis to see if any of the core tools have been tampered.

Rootkit Hunter and Chkrootkit are two programs that are used to detect rootkits in Linux.

Rootkit Hunter and Chkrootkit require root privileges to run. This means either you should login as root user or use SUDO to run the program.

Rootkit Hunter

Rootkit Hunter - rkhunter - is a shell script that will detect rootkits or malware on your Linux computer. It also performs checks to see if commands have been modified, and various checks on the network interfaces, including checks for listening applications.

How to Install Rootkit Hunter

Rootkit Hunter program is available in the repositories of most Linux distributions. The easiest way of installing Rootkit Hunter in Linux is using the respective package management tool of your Linux distribution.

As an example, in Ubuntu Linux, you can install Rootkit Hunter from the "Ubuntu Software Center" or via command line as shown below.

$ sudo apt-get install rkhunter

Rootkit Hunter usage

Update the Rootkit Hunter database

# rkhunter --update

This command has to be run on a regular basis to keep the database of known rootkits current. You can use Cron to schedule running of this command at regular intervals.

Check your computer for rootkits

# rkhunter --check

The above command runs a number of tests to detect any rootkit or malaware on your Linux computer.

List the names of all the rootkits Rootkit Hunter will search for.

# rkhunter --list rootkits

List the currently available test names

# rkhunter --list tests

Rootkit Hunter configuration file is stored at /etc/rkhunter.conf. This file is well documented and contain many of Rootkit Hunter's configuration options.


Chkrootkit (like Rootkit Hunter) is another tool used to detect rootkits in Linux. Chkrootkit examines certain elements of the target system and determines whether they have been tampered with.

This program can be found in your Linux distribution's repository.

In Ubuntu Linux, you can install Chkrootkit from "Ubuntu Software Center" or via command line as follows.

$ sudo apt-get install chkrootkit

Chkrootkit Usage

Print available tests

# chkrootkit -l

Detect rootkits on your computer

# chkrootkit

Run Chkrootkit in expert mode

# chkrootkit -x

Rootkit Hunter and Chkrootkit together form a nice combination of tools you use to check for, and detect rootkits in Linux.