chkrootkit must run as root.  The simplest way is:


# ./chkrootkit

This will perform all tests. You can also specify only the tests you want, as shown below:

Usage: ./chkrootkit [options] [testname ...] Options: -h show this help and exit -V show version information and exit -l show available tests -d debug -q quiet mode -x expert mode -r dir use dir as the root directory -p dir1:dir2:dirN path for the external commands used by chkrootkit -n skip NFS mounted dirs

Where testname stands for one or more from the following list: aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper slapper z2 chkutmp amd basename biff chfn chsh cron crontab date du dirname echo egrep env find fingerd gpm grep hdparm su ifconfig inetd inetdconf identd init killall ldsopreload login ls lsof mail mingetty netstat named passwd pidof pop2 pop3 ps pstree rpcinfo rlogind rshd slogin sendmail sshd syslogd tar tcpd tcpdump top telnetd timed traceroute vdir w write For example, the following command checks for trojaned ps and ls binaries and also checks if the network interface is in promiscuous mode.

# ./chkrootkit ps ls sniffer

The `-q' option can be used to put chkrootkit in quiet mode -- in this mode only output messages with `infected' status are shown. With the `-x' option the user can examine suspicious strings in the binary programs that may indicate a trojan -- all the analysis is left to the user. Lots of data can be seen with:

# ./chkrootkit -x | more

Pathnames inside system commands:

# ./chkrootkit -x | egrep '^/'

chkrootkit uses the following commands to make its tests: awk, cut, egrep, find, head, id, ls, netstat, ps, strings, sed, uname. It is possible, with the `-p' option, to supply an alternate path to chkrootkit so it won't use the system's (possibly) compromised binaries to make its tests. To use, for example, binaries in /cdrom/bin:

# ./chkrootkit -p /cdrom/bin

It is possible to add more paths with a `:'

# ./chkrootkit -p /cdrom/bin:/floppy/mybin

Sometimes is a good idea to mount the disk from a compromised machine on a machine you trust. Just mount the disk and specify a new rootdir with the `-r' option. For example, suppose the disk you want to check is mounted under /mnt, then:

# ./chkrootkit -r /mnt

Official Website:

Server is hosted by Alanstudio
Linux Operating System

Recommend screen resolution 1024 x 768 / IE / FireFox
Alan Studio © 2007 by Alan Cheung Hin Lun. All rights reserved.