chkrootkit

chkrootkit(8) System Manager's Manual chkrootkit(8)

NAME

   chkrootkit - Scan the system for signs of rootkits

SYNOPSIS

   chkrootkit [OPTIONS] [TEST...]

DESCRIPTION

   chkrootkit examines the target system for signs that it has been tampered with. Some tools which chkrootkit uses can be found in /usr/lib/chkrootkit.

OPTIONS

   Unlike usual programmes, options cannot be 'combined', so you need to write '-q -n' instead of '-qn'

   -q     Enter quiet mode. This suppresses output of tests that find nothing suspicious.

   -x     Enter expert mode. This makes many tests produces additional output showing what they have found.

   -d     Enter debug mode. This shows exactly what chkrootkit is doing at every step (it includes running chkrootkit with set -x).

   -e "FILE1[ FILE2...]"
          Exclude  listed  files  from the results of some tests. The list should be space-separated (which will generally require quoting when run from a shell). You can also specify -e
          several times. Use this to remove false positives from the result of many tests - see /usr/share/doc/chkrootkit/README.FALSE-POSITIVES.gz.

   -s REGEXP
          Similar to -e but only applies to the result of the sniffer test.  This test will class standard network managers like  systemd-networkd(1),  NetworkManager(1)  or  wpa_suppli‐
          cant(1)  as  packet sniffers. You can remove such messages from the output with something like chkrootkit -s '(systemd-networkd|NetworkManager|wpa_supplicant)' (you may want to
          use a more precise regular expression, see /etc/chkrootkit/chkrootkit.conf).  The argument can be any regular expression understood by egrep(1) and is applied to every line  of
          the output of the ifpromisc test .

   -p DIR1[:DIR2...]
          Specify  an  alternative $PATH.  chkrootkit assumes that standard programmes, like find(1) andgrep(1), are uncompromised. The intention is that you place trusted copies of such
          binaries where they cannot be modified and invoke with something like chkrootkit -p /media/usb

   -r DIR Use DIR as the root directory. For example, you might mount a compromised disk on an uncompromised system and run chkrootkit -r /mnt.

   -n     make some tests ignore NFS-mounted directories.

   -T FSTYPE
          make some tests ignore file systems of type FSTYPE. This uses find(1)'s -fstype option.

   -l     Print available tests.

   -h     Print a short help message and exit.

   -V     Print version information and exit.

AUTHOR

   Manual page written by Yotam Rubin <yotam@makif.omer.k12.il>, Marcos Fouces <marcos@debian.org>, Lantz  Moore  <lmoore@debian.org>,  and  Richard  Lewis  <richard.lewis.debian@google‐
   mail.com> for the Debian project. It may be used by others.

SEE ALSO

   strings(1) chklastlog(8) chkwtmp(8)

                                                                                     Oct 23, 2021                                                                            chkrootkit(8)