chkrootkit (Check Rootkit) is a classic Unix rootkit scanner: a shell script plus helper binaries that look for known rootkit signatures, tampered system commands, suspicious kernel modules, and packet sniffers. It is not a replacement for antivirus or intrusion detection, but it is a useful second opinion on servers you already harden with updates and firewall rules.
This guide covers how to install chkrootkit on Ubuntu from apt, run scans without waiting forever on a full-system walk, enable packaged daily checks, and read results without panicking over common false positives. I ran these steps on Ubuntu 25.04 and kept real output below.
Tested on: Ubuntu 25.04 (Plucky Puffin); kernel 6.14.0-37-generic.
sudo chkrootkit scans the live system at ROOTDIR=/—dozens of binary checks plus hidden-file sweeps across /usr, /lib, /var, and more. It is not the chroot command, but it does behave like a full-OS audit and can run many minutes with sparse output. For interactive use prefer chkrootkit -q; for automation wrap runs in timeout (for example timeout 300 sudo chkrootkit -q).
Quick command summary
| Task | Command |
|---|---|
| Install chkrootkit | sudo apt install -y chkrootkit |
| Check package version | chkrootkit -V |
| List available tests | chkrootkit -l |
| Full live-system scan | sudo chkrootkit (slow—see timeout below) |
| Quiet scan (warnings only) | sudo chkrootkit -q |
| Scan with time limit | timeout 300 sudo chkrootkit -q |
| Scan one test only | sudo chkrootkit sshd |
| Scan alternate root (forensics) | sudo chkrootkit -r /mnt/suspect-root |
| Validate daily timer | systemctl status chkrootkit.timer |
| Edit daily scan config | sudo nano /etc/chkrootkit/chkrootkit.conf |
| Remove package | sudo apt purge -y chkrootkit |
Prerequisites
- Ubuntu 22.04 LTS, 24.04 LTS, or newer (25.04 tested here) with the Universe repository enabled.
- sudo for installation and system-wide scans.
- Root privileges for meaningful scans—chkrootkit compares live
/bin,/sbin, and process tables. - Patience or
timeoutfor full scans; a quiet scan on my host finished within ~90 seconds, while an unrestricted full run can exceed ten minutes on a busy disk. - Optional companion: rkhunter rootkit scanner guide for overlapping coverage.
What chkrootkit actually scans
| Scope | Command | What it does |
|---|---|---|
| Live system (default) | sudo chkrootkit |
ROOTDIR is /—checks system binaries (ps, sshd, ls, …), LKM/sniffer tests, and suspicious hidden paths across the running OS |
| Directory / mount | sudo chkrootkit -r /opt |
Treats /opt as root—useful for offline forensics on a mounted disk image |
| Single signature | sudo chkrootkit sshd |
Runs only the sshd test against the live system |
| Quiet summary | sudo chkrootkit -q |
Suppresses most not infected lines; still walks the system |
chkrootkit does not recursively virus-scan every file like ClamAV. It runs a fixed battery of rootkit-specific tests. The long runtime comes from external commands, strings comparisons, and hidden-file discovery under large trees like /usr/lib.
Step 1: Install chkrootkit from apt
Refresh indexes and install from Universe:
sudo apt update
sudo apt install -y chkrootkitOn Ubuntu 25.04:
apt-cache policy chkrootkitInstalled: 0.58b-4
Candidate: 0.58b-4
0.58b-4 500
500 http://archive.ubuntu.com/ubuntu plucky/universe amd64 PackagesVerify the binary:
chkrootkit -Vchkrootkit version 0.58bchkrootkit, not chrootkit or checkrootkit. Ubuntu 22.04 LTS still packages 0.55; 24.04 and 25.04 ship the 0.58b line per Launchpad.
Step 2: Run your first scan (with a timeout)
Quiet mode (recommended day to day)
timeout 300 sudo chkrootkit -qOn my Ubuntu 25.04 host the quiet scan reported warnings, not INFECTED, for dotfiles owned by normal packages:
WARNING: The following suspicious files and directories were found:
/usr/lib/modules/6.14.0-37-generic/vdso/.build-id [From Debian package: linux-modules-6.14.0-37-generic]
/usr/lib/node_modules/npm/.npmrc [From Debian package: nodejs]
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest/.htaccess [From Debian package: fail2ban]The [From Debian package: …] suffix on Ubuntu 0.58b means dpkg owns the path—treat these as false positives unless other evidence contradicts it. Confirm with:
dpkg -S /usr/lib/modules/6.14.0-37-generic/vdso/.build-idFull verbose scan (expect a long run)
timeout 600 sudo chkrootkit 2>&1 | tee /tmp/chkrootkit-full.logThe first lines show the live root:
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `chfn'... not infected
Checking `sshd'... not infectednot infected— test passed for that binary/signature.not found— target not installed (common for legacy daemons).not tested— skipped (missing helper or irrelevant on this system).INFECTED— investigate immediately, but verify with package checksums before assuming compromise.
Single-test and scoped scans (fast)
sudo chkrootkit sshdROOTDIR is `/'
Checking `sshd'... not infectedScan only an alternate directory (for example a mounted suspect disk):
sudo chkrootkit -r /optROOTDIR is `/opt/'
Checking `basename'... not foundList every test name:
chkrootkit -l | fold -s | head -5/usr/sbin/chkrootkit: tests: aliens asp bindshell lkm rexedcs sniffer ...Step 3: Enable and tune daily scans
Ubuntu 25.04 ships both a systemd timer and a legacy cron script:
systemctl is-enabled chkrootkit.timer
systemctl is-active chkrootkit.timer
ls -la /etc/cron.daily/chkrootkitenabled
active
-rwxr-xr-x 1 root root 161 ... /etc/cron.daily/chkrootkitConfiguration moved to /etc/chkrootkit/chkrootkit.conf (not /etc/chkrootkit.conf as older tutorials state):
grep -E '^RUN_DAILY|^RUN_DAILY_OPTS|^DIFF_MODE|^MAILTO' /etc/chkrootkit/chkrootkit.confDefault highlights from the packaged file:
RUN_DAILY="true"
RUN_DAILY_OPTS=""
DIFF_MODE="true"For quieter daily mail, set:
sudo sed -i 's/^RUN_DAILY_OPTS=.*/RUN_DAILY_OPTS="-q"/' /etc/chkrootkit/chkrootkit.confReview the first automated run:
sudo less /var/log/chkrootkit/log.todayWhen output is clean, establish a baseline for diff mode:
sudo cp -a /var/log/chkrootkit/log.today /var/log/chkrootkit/log.expectedAdd reviewed false positives to /etc/chkrootkit/chkrootkit.ignore.
Optional cron wrapper with timeout
If you schedule a custom cron job instead of the packaged timer, always cap runtime:
sudo tee /usr/local/bin/chkrootkit-safe.sh << 'EOF'
#!/bin/sh
timeout 900 /usr/sbin/chkrootkit -q >> /var/log/chkrootkit/manual.log 2>&1
EOF
sudo chmod +x /usr/local/bin/chkrootkit-safe.shStep 4: Interpret warnings and false positives
| Output | Meaning | Next step |
|---|---|---|
not infected |
No signature match | None |
INFECTED |
Pattern matched | Verify with dpkg -S, debsums, and a second scanner |
PACKET SNIFFER |
Process uses PF_PACKET |
Often NetworkManager, dhclient, or monitoring—check ss -lp | grep PACKET |
WARNING: suspicious files with package tag |
Packaged dotfile | False positive on modern Ubuntu builds |
not tested |
Skipped check | Install missing helper (for example psmisc for pstree) |
If you suspect a real rootkit, do not trust local ps/ls alone—boot trusted live media and scan the mounted root read-only:
sudo chkrootkit -r /mnt/suspect-rootPair results with rkhunter for broader file-property checks.
Uninstall
sudo systemctl disable --now chkrootkit.timer
sudo apt purge -y chkrootkit
sudo apt autoremove -yRemove logs when you no longer need history:
sudo rm -rf /var/log/chkrootkitTroubleshooting
| Symptom | Likely cause | Fix |
|---|---|---|
| Command appears hung | Full scan still walking / |
Use -q, single tests, -r, or timeout 300 |
Unable to locate package chkrootkit |
Universe disabled | sudo add-apt-repository universe && sudo apt update |
| Daily mail is huge | Default verbose daily run | Set RUN_DAILY_OPTS="-q" in chkrootkit.conf |
grep /etc/chkrootkit.conf fails |
Path changed on newer Ubuntu | Use /etc/chkrootkit/chkrootkit.conf |
Many WARNING lines with package names |
Normal on dev servers | Add to chkrootkit.ignore after review |
pstree not tested |
Missing binary | sudo apt install -y psmisc |
References
- chkrootkit project — upstream documentation
- Ubuntu chkrootkit package — version per release
- Alibaba Cloud: chkrootkit on Ubuntu — classic apt workflow (config path differs on newer Ubuntu)
- OneUptime: rkhunter and chkrootkit — pairing scanners and false-positive handling
- On-site: apt command, rkhunter scanner, cron cheat sheet
Summary
Install chkrootkit on Ubuntu with sudo apt install chkrootkit from Universe—it delivered 0.58b on 25.04. A default sudo chkrootkit is a full live-system rootkit audit (ROOTDIR=/), not a quick malware click; that is why earlier test runs looked stuck until we added timeout and switched to -q for routine checks.
Use chkrootkit -q day to day, chkrootkit sshd (or other single tests) for spot checks, and chkrootkit -r when you scan a mounted disk offline. chkrootkit.timer handles daily runs on current Ubuntu—tune /etc/chkrootkit/chkrootkit.conf so mail stays readable. Treat package-tagged warnings as leads to verify, not automatic proof of compromise.
