chkrootkit

chkrootkit(8)               System Manager's Manual              chkrootkit(8)

NAME
       chkrootkit - Scan the system for signs of rootkits

SYNOPSIS
       chkrootkit [OPTION]... [TESTNAME]...

DESCRIPTION
       chkrootkit  examines  the target system for signs that it has been tam-
       pered  with.  Some  tools  which  chkrootkit  uses  can  be  found   in
       /usr/lib/chkrootkit.

OPTIONS
       Unlike  usual  programmes,  options cannot be 'combined', so you cannot
       need to write '-q -n' instead of '-qn'

       -q     Enter quiet mode. This suppresses  output  of  tests  that  find
              nothing suspicious.

       -x     Enter  expert  mode.  This  makes many tests produces additional
              output showing what they have found.

       -d     Enter debug mode. This shows exactly what chkrootkit is doing at
              every step (it includes running chkrootkit with 'set -x').

       -e "FILE1[ FILE2...]"
              Exclude  listed  files  from the results of some tests. The list
              should be pace-separated (which will generally  require  quoting
              when  run  from a shell. You can also specify -e several times).
              Use this to remove false positives from the result of many tests
              - see /usr/share/doc/chkrootkit/README.FALSE-POSITIVES.

       -s REGEXP
              Similar  to  -e  but  only  applies to the result of the sniffer
              test.  This test will flag standard network managers  like  sys-
              temd-networkd(1), NetworkManager(1) or wpa_supplicant(1)      as
              PACKET SNIFFER s, and you can remove such messages from the out-
              put with something like chkrootkit -s '(systemd-netword|Network-
              Manager|wpa_supplicant)', where the argument lists whicher  man-
              agers  you expect to be present. The argument can be any regular
              expression understood by egrep(1).

       -p DIR1[:DIR2...]
              Specify an alternative $PATH.  chkrootkit assumes that  standard
              programmes,  like find(1) andgrep(1), are uncompromised. The in-
              tention is that you place trusted copies where  they  cannot  be
              modified and invoke with something like chkrootkit -p /media/usb

       -r     DIR  Use DIR as the root directory. For example, you might mount
              a disk on an uncompromised system and run chkrootkit-r/mnt

       -n     make some tests ignore NFS-mounted directories.

       -l     Print available tests. These are the following:
              aliens asp bindshell lkm rexedcs  sniffer  w55808  wted  scalper
              slapper  z2  chkutmp OSX_RSPLUG amd basename biff chfn chsh cron
              crontab date du dirname echo egrep env find fingerd gpm grep hd-
              parm  su  ifconfig  inetd  inetdconf  identd init killall  ldso-
              preload login ls lsof mail mingetty netstat named  passwd  pidof
              pop2  pop3  ps  pstree rpcinfo rlogind rshd slogin sendmail sshd
              syslogd tar tcpd tcpdump top telnetd  timed  traceroute  vdir  w
              write

       -h     Print a short help message and exit.

       -V     Print version information and exit.

AUTHOR
       Manual  page  written  by Yotam Rubin <yotam@makif.omer.k12.il>, Marcos
       Fouces <marcos@debian.org> and lantz moore <lmoore@debian.org> for  the
       Debian project. It may be used by others.

SEE ALSO
       strings(1) chklastlog(8) chkwtmp(8)

                                 Oct 23, 2021                    chkrootkit(8)