How to Install Chkrootkit on Debian (13, 12, 11)

This guide walks through how to install chkrootkit on Debian to scan for rootkits, backdoors, and local exploits that hide unauthorized access from standard security tools. Chkrootkit examines system binaries, network interfaces, and log files for known rootkit signatures, covering threats from classic LKM rootkits to modern attacks like XZ Backdoor (CVE-2024-3094) and Bootkitty UEFI bootkits. By the end, you will have chkrootkit installed, configured for automated daily scans, and understand how to interpret results and respond to detections.

Choose Your Chkrootkit Installation Method for Debian

Chkrootkit is available from Debian’s default repositories and as a source tarball from the project’s FTP server. The table below compares both methods:

Method	Channel	Version	Updates	Best For
APT (default repos)	Debian Repos	Distribution default	Automatic via apt upgrade	Most users who prefer distro-tested packages
Source compilation	Official FTP	Latest (0.59)	Manual recompilation	Users who need XZ Backdoor, Bootkitty, or process-executed-from-memory detection

For most users, the APT method is recommended because it provides automatic security updates and integrates with Debian’s daily cron scan configuration. Only compile from source if you need detection capabilities not yet available in the repository version.

The default APT versions vary by release:

Debian Release	APT Version	Notable Capabilities
Debian 13 (Trixie)	0.58b	BPFDoor detection, -T network mount skip
Debian 12 (Bookworm)	0.57	Standard rootkit checks
Debian 11 (Bullseye)	0.54	Standard rootkit checks

Install Chkrootkit on Debian

Update the package index and upgrade installed packages before installing chkrootkit:

sudo apt update && sudo apt upgrade

This guide uses sudo for commands that need root privileges. If your user is not in the sudoers file yet, run the commands as root or follow the guide on how to add a user to sudoers on Debian.

Method 1: Install Chkrootkit via APT

Install chkrootkit from Debian’s default repositories:

sudo apt install chkrootkit

Verify the installation by checking the version:

chkrootkit -V

Expected output (version varies by release):

chkrootkit version 0.58b

Method 2: Install Chkrootkit from Source

Source compilation provides the latest version (currently 0.59) with detection for XZ Backdoor, Bootkitty UEFI bootkits, and processes running from memory.

Install the required build tools and wget for downloading:

sudo apt install build-essential wget

The build-essential package includes GCC, make, and other tools needed for compilation. On Debian 12 and 11 minimal installations, wget may not be installed by default.

Download the latest source tarball from the official FTP server:

cd /tmp
wget ftp://ftp.chkrootkit.org/pub/seg/pac/chkrootkit.tar.gz

Extract the archive and enter the source directory:

tar -xzf chkrootkit.tar.gz
cd chkrootkit-*/

The wildcard chkrootkit-*/ matches whatever version was extracted, so the command works regardless of the release number. Compile the source with:

make sense

Successful compilation produces output similar to:

cc -DHAVE_LASTLOG_H -o chklastlog chklastlog.c
cc -DHAVE_LASTLOG_H -o chkwtmp chkwtmp.c
cc  -o chkproc chkproc.c
cc  -o chkdirs chkdirs.c
cc  -o check_wtmpx check_wtmpx.c
cc -static  -o strings-static strings.c
cc  -o chkutmp chkutmp.c

Verify the compiled binary works:

./chkrootkit -V

chkrootkit version 0.59

Move the compiled directory to a system-wide location and create a symlink so chkrootkit is accessible from any path:

cd /tmp
sudo mv chkrootkit-*/ /usr/local/share/chkrootkit
sudo ln -sf /usr/local/share/chkrootkit/chkrootkit /usr/local/bin/chkrootkit

Confirm global access by running the version check from any directory:

chkrootkit -V

chkrootkit version 0.59

Run Chkrootkit Scans on Debian

Chkrootkit requires root privileges to inspect all system areas. Always run scans with sudo.

Run a Full Rootkit Scan with Chkrootkit

Run a complete scan that checks system binaries, kernel modules, network interfaces, and log files:

sudo chkrootkit

A clean system produces output like:

ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `ifpromisc'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `netstat'... not infected
Checking `ps'... not infected
Checking `sshd'... not infected

Each line reports “not infected”, “not found” (binary does not exist on this system), or “INFECTED” when a rootkit signature is detected.

For a condensed view that only shows problems, use quiet mode:

sudo chkrootkit -q

No output in quiet mode means no infections were found. Any output indicates items that need investigation.

Advanced Chkrootkit Scanning Options

Run a specific test instead of a full scan by naming the test:

sudo chkrootkit wormscan

List all available tests:

chkrootkit -l

Skip NFS and other network-mounted filesystems with the -T flag (requires version 0.58 or later, available in Debian 13’s APT package and all source builds):

sudo chkrootkit -T

If you suspect system binaries are compromised, run chkrootkit using trusted binaries from an alternate path such as a live USB mount:

sudo chkrootkit -p /mnt/trusted/bin

View all available flags and options:

chkrootkit -h

Configure Automatic Chkrootkit Scans on Debian

APT-Installed: Enable Daily Scans via Configuration File

The APT package on Debian 12 and 13 ships a configuration file and a cron.daily script that runs chkrootkit automatically. Open the configuration file to confirm daily scans are enabled:

sudo nano /etc/chkrootkit/chkrootkit.conf

Verify the RUN_DAILY value is set to "true":

RUN_DAILY="true"

Save the file with Ctrl+O, then exit with Ctrl+X. The /etc/cron.daily/chkrootkit script handles the rest, running a quiet scan each day and logging results to syslog.

Debian 11 users: The /etc/chkrootkit/chkrootkit.conf file does not exist on Debian 11 (Bullseye). The APT package provides only the /etc/cron.daily/chkrootkit script, which runs daily by default with no additional configuration needed. Scan results appear in /var/log/syslog.

Source-Installed: Create a Cron Job for Chkrootkit

Source installations do not include a cron configuration. Create a cron job to run chkrootkit daily and log results:

sudo crontab -e

Add the following line to run a quiet scan at 3:00 AM and append results to a log file:

0 3 * * * /usr/local/bin/chkrootkit -q 2>&1 | tee -a /var/log/chkrootkit.log

Verify the cron entry was saved:

sudo crontab -l

0 3 * * * /usr/local/bin/chkrootkit -q 2>&1 | tee -a /var/log/chkrootkit.log

To receive scan results by email instead, replace the tee command with mail -s "chkrootkit scan" root. This requires the mailutils package (sudo apt install mailutils).

Update Chkrootkit Source Installation on Debian

The APT package receives updates through sudo apt upgrade. For source installations, use the following update script to download and compile the latest release automatically.

Create the script:

nano ~/update-chkrootkit.sh

Add the following content:

#!/bin/bash
# Update script for source-compiled chkrootkit
# Downloads the latest release from the official FTP server

set -euo pipefail

# Verify required tools are installed
for cmd in wget make cc; do
    if ! command -v "$cmd" &>/dev/null; then
        echo "Error: $cmd is not installed. Run: sudo apt install build-essential wget"
        exit 1
    fi
done

INSTALL_DIR="/usr/local/share/chkrootkit"
SYMLINK="/usr/local/bin/chkrootkit"
FTP_URL="ftp://ftp.chkrootkit.org/pub/seg/pac/chkrootkit.tar.gz"
BUILD_DIR="/tmp/chkrootkit-update-$$"

# Show current version
CURRENT=$("$SYMLINK" -V 2>/dev/null || echo "not installed")
echo "Current installed version: $CURRENT"
echo ""

# Download latest source
echo "Downloading latest chkrootkit source..."
mkdir -p "$BUILD_DIR"
cd "$BUILD_DIR"
wget -q "$FTP_URL" -O chkrootkit.tar.gz
tar -xzf chkrootkit.tar.gz
cd chkrootkit-*/

# Check downloaded version
LATEST=$(grep '^CHKROOTKIT_VERSION=' chkrootkit 2>/dev/null | head -1 | cut -d'"' -f2 || ./chkrootkit -V 2>/dev/null | awk '{print $NF}')
echo "Latest available version: $LATEST"
echo ""

# Prompt for confirmation
read -rp "Continue with update? (y/n) " CONFIRM
if [[ "$CONFIRM" != "y" ]]; then
    echo "Update cancelled."
    rm -rf "$BUILD_DIR"
    exit 0
fi

# Compile
echo "Compiling chkrootkit..."
make sense

# Install
echo "Installing chkrootkit (requires sudo password)..."
sudo rm -rf "$INSTALL_DIR"
cd ..
sudo mv chkrootkit-*/ "$INSTALL_DIR"
sudo ln -sf "$INSTALL_DIR/chkrootkit" "$SYMLINK"

# Verify
echo ""
echo "Update complete!"
"$SYMLINK" -V

# Cleanup
rm -rf "$BUILD_DIR"

Save the file with Ctrl+O, then exit with Ctrl+X. Make the script executable and run it:

chmod +x ~/update-chkrootkit.sh
~/update-chkrootkit.sh

Expected output:

Current installed version: chkrootkit version 0.59

Downloading latest chkrootkit source...
Latest available version: 0.59

Continue with update? (y/n) y

Compiling chkrootkit...
Installing chkrootkit (requires sudo password)...
[sudo] password for user: 

Update complete!
chkrootkit version 0.59

The script shows the currently installed version alongside the latest available version, asks for confirmation before proceeding, and displays progress throughout the update. Run it manually when you want to check for new releases.

Run this script manually rather than scheduling it with cron. Source builds can introduce breaking changes or compilation failures that require user intervention to resolve.

Troubleshoot Chkrootkit on Debian

Chkrootkit False Positives

Chkrootkit occasionally reports false positives. Common causes include:

• bindshell test: Software like PortSentry or klaxon that binds to unused ports can cause chkrootkit to flag ports like 1524/tcp, 31337/tcp, or 27374/tcp as suspicious. This is expected behavior, not an infection.
• suckit test: Short-lived processes created and killed during the scan trigger false positives because chkproc compares ps output with /proc contents.
• Suspicious files: Files like .packlist or .cvsignore are legitimate development artifacts that chkrootkit flags due to naming patterns.

Example false positive output:

Checking `bindshell'... INFECTED (PORTS: 31337)
Checking `suckit'... Warning: /sbin/init INFECTED

To verify whether a flagged binary was actually modified, check its integrity against the original package using debsums:

sudo apt install debsums
sudo debsums -c

No output from debsums -c means all installed packages match their original checksums, confirming a false positive. If modified files exist, debsums reports them:

debsums: changed file /usr/bin/suspicious-binary (from package-name)

For deeper analysis, use expert mode to examine the strings chkrootkit found suspicious:

sudo chkrootkit -x | more

Respond to INFECTED Results in Chkrootkit

If chkrootkit reports a genuine infection across multiple binaries, the output looks like:

Checking `ls'... INFECTED
Checking `netstat'... INFECTED
Checking `ps'... INFECTED
Checking `lkm'... You have 2 process hidden for readdir command

Take these steps immediately:

1. Disconnect the system from the network
2. Boot from a live USB and run chkrootkit against the mounted filesystem with chkrootkit -r /mnt
3. Compare suspect binaries against known-good copies or reinstall the affected packages
4. Review logs in /var/log for signs of unauthorized access
5. Consider a full system reinstall if the compromise is confirmed

Fix Chkrootkit Compilation Errors

If make sense fails with a missing header error:

chkproc.c:1:10: fatal error: linux/sched.h: No such file or directory
 #include <linux/sched.h>
          ^~~~~~~~~~~~~~~
compilation terminated.

Install the kernel headers for your running kernel, then retry the build:

sudo apt install linux-headers-$(uname -r)
make sense

Verify the build succeeded by checking the version:

./chkrootkit -V

Remove Chkrootkit from Debian

Remove APT-Installed Chkrootkit

Remove the package and its configuration files using purge, then clean up orphaned dependencies:

sudo apt purge chkrootkit
sudo apt autoremove

The purge option removes configuration files in /etc/chkrootkit/ (Debian 12/13) and the daily cron script. On Debian 11, it removes the cron script at /etc/cron.daily/chkrootkit.

Remove Source-Compiled Chkrootkit

Remove the installed files and symlink:

sudo rm -rf /usr/local/share/chkrootkit
sudo rm -f /usr/local/bin/chkrootkit

If you created a cron job for automated scanning, remove it:

sudo crontab -e

Delete the chkrootkit line, save, and exit. Remove the update script if you created one:

rm -f ~/update-chkrootkit.sh

Verify chkrootkit is no longer accessible:

chkrootkit -V

bash: chkrootkit: command not found

Complementary Security Tools for Debian

Chkrootkit works best as part of a layered security approach. Consider combining it with Tripwire for file integrity monitoring, Fail2ban for brute-force protection, UFW or Firewalld for firewall management, proper SSH hardening, and ModSecurity for web application firewall protection. For network auditing, Nmap helps identify open ports and services. To keep your system patched automatically, configure unattended upgrades on Debian. Create regular system snapshots with Timeshift so you can roll back if a compromise requires recovery.

Conclusion

You now have chkrootkit installed on Debian with automated daily scanning configured and the knowledge to interpret scan results. For ongoing rootkit detection, keep the package updated through apt upgrade or the source update script, investigate any “INFECTED” output promptly using debsums for verification, and combine chkrootkit with firewall rules and intrusion prevention tools like Fail2ban for comprehensive system security.