Scanning for Rootkits on Linux with chkrootkit
A walkthrough of using chkrootkit to scan for hidden rootkits and ensure host system integrity.
Project Description
As part of a host-based threat detection exercise, I used the chkrootkit tool to scan a Linux system for potential rootkits. Rootkits are stealthy forms of malware designed to hide their presence and maintain privileged access. By regularly auditing systems for signs of rootkits, administrators can detect early indicators of compromise and help maintain endpoint integrity.
This project demonstrates how chkrootkit can serve as a fast, lightweight tool in blue-team workflows for identifying tampering in common binaries and system processes.
Tool Setup
I began by installing chkrootkit from the official Ubuntu repositories. This utility contains multiple small programs that analyze logs, inspect system commands, and compare known signatures of malicious tampering.
sudo apt update sudo apt install chkrootkit
Once installed, the tool is ready to run with a single command and does not require custom configuration to begin scanning.
Running the Rootkit Scan
To execute a full scan across key areas of the system, I ran:
sudo chkrootkit
This initiates a series of tests across common system files, networking tools, login services, and memory-resident threats. It checks core utilities like ps, ls, ifconfig, and netstat to determine whether they’ve been altered or replaced by stealthy malware.
Screenshot Suggestion: Terminal output from chkrootkit showing [ Not infected ] across a range of system services.
Understanding the Output
A typical clean scan result looks like this:
Checking 'sshd'... not infected
Checking 'ifconfig'... not infected Checking 'login'... not infected
If any infection or modification is suspected, chkrootkit flags it clearly, for example:
Warning: Possible LKM Trojan installed
These alerts indicate the potential presence of loadable kernel modules (LKMs) often used by advanced rootkits to hide processes and files.
Security Relevance
Domain 1: Threats and Vulnerabilities
Covers detection and identification of rootkits and advanced persistent threats.
Domain 4: Security Operations
Demonstrates host-based monitoring, file integrity awareness, and anomaly detection from a command-line interface.
Summary
Using chkrootkit, I performed a host-based malware detection scan to identify any known rootkits or suspicious changes to critical binaries. The tool returned no infections, confirming the system was clean at the time of the scan.
This lightweight utility is ideal for use in incident response, regular system audits, and forensics readiness. It provides a simple but effective layer of visibility into the integrity of a Linux host and complements other defensive tools like AIDE, auditd, and file hashing utilities.
Bonus Tip: Automating Regular Scans
To create a basic log of periodic scans for auditing purposes, You added the following to your cron scheduler:
@weekly root chkrootkit > /var/log/chkrootkit-$(date +%F).log
This configuration runs chkrootkit weekly and saves the results with a timestamp. Logs like these are useful during breach analysis or compliance reviews.