chkrootkit

The chkrootkit security scanner searches for signs that the system is infected with a 'rootkit'. Rootkits are a form of malware that seek to exploit security flaws to grant unauthorised access to a computer or its services, generally for malicious purposes. chkrootkit can identify signs of over 70 different rootkits.

Please note that an automated tool like chkrootkit can never guarantee a system is uncompromised. Nor does every report always signify a genuine problem: human judgement and further investigation will always be needed to assure the security of your system.

chkrootkit includes additional utilities like chklastlog (checks lastlog for deleted entries), chkwtmp (checks wtmp for deleted entries), and chkrootkit-daily (runs chkrootkit daily via cron/systemd and emails results).

chkrootkit performs signature-based detection for known rootkit indicators across system files, processes, and logs. It checks for common rootkit hiding techniques including modified binaries, hidden processes, and log tampering. chklastlog compares /var/log/wtmp against /var/log/lastlog to detect users with logins but no lastlogin info. chkwtmp scans /var/log/wtmp for overwritten null-byte entries indicating deletions.