How to Install Chkrootkit on Ubuntu Linux

Chkrootkit detects rootkits, worms, and trojans on Linux systems through signature-based scanning and behavioral analysis. Maintained since 1997, this open-source security tool scans for over 70 known rootkit signatures, checks for suspicious kernel modules, and identifies hidden processes or modified system binaries. Additionally, the lightweight scanner runs on any Linux distribution without impacting system performance and complements other security tools like ClamAV for comprehensive system protection.

This guide shows you how to install Chkrootkit on Ubuntu through APT repositories or source builds, configure automatic daily scans, and run manual security checks to detect potential compromises.

Chkrootkit Installation Requirements

Chkrootkit runs on any Ubuntu system with an internet connection for downloads. All commands require sudo privileges. Additionally, the tool itself uses minimal resources with less than 10MB disk space required for the installation.

Method 1: Install Chkrootkit via Ubuntu’s Default Repository

Verify Chkrootkit Installation Status

Before proceeding with the installation, confirm whether Chkrootkit already exists on your system:

chkrootkit -V

If the command returns a version number, the package is already installed and you can skip to the scanning section. However, a command not found response means you can proceed with the installation steps below.

Update System Package Lists

Before installing Chkrootkit, update the package lists on your system to ensure you have the latest information about available packages. First, open a terminal and run the following command:

sudo apt update

This command fetches the latest package information from the repositories so that APT installs the newest chkrootkit build available to your release without modifying the rest of your system.

Install Chkrootkit via APT Command

Once your system is updated, install Chkrootkit using the APT package manager with the following command:

sudo apt install chkrootkit

This installs the Chkrootkit package along with the necessary tools and scripts to detect rootkits on your system.

During installation, you may see prompts to configure a mail server (Postfix or similar) since chkrootkit installs mail utilities as dependencies for sending automated security alerts. You can safely select “No configuration” or press Tab to highlight “OK” and continue without setting up email. Manual scans with sudo chkrootkit work perfectly without any mail configuration.

Alternatively, install Chkrootkit without interactive prompts using the non-interactive mode:

sudo DEBIAN_FRONTEND=noninteractive apt install -y chkrootkit

This method skips all configuration dialogs and installs with default settings, which is ideal for automated deployments or when you want to avoid mail server setup entirely.

Confirm Chkrootkit Installation and Version

After installation, verify the installation was successful by running the version command:

chkrootkit -V

Method 2: Install Chkrootkit via Source Archive

Download the Chkrootkit Source Code

Alternatively, for users who prefer the latest version, download the Chkrootkit source code from the official website. First, navigate to your preferred directory and run the following command:

wget ftp://chkrootkit.org/pub/seg/pac/chkrootkit.tar.gz

Extract the Chkrootkit Source Archive

Once downloaded, extract the source code from the archive to access the files required for compilation:

tar -xvzf chkrootkit.tar.gz

Compile and Install Chkrootkit on Ubuntu

Before you can compile Chkrootkit, first ensure you have the necessary build tools installed, including GCC and the make utility:

sudo apt install gcc make build-essential

Once the build tools are installed, navigate to the extracted Chkrootkit directory and compile the source code:

cd chkrootkit-{your-version-number}
make sense

This command compiles the Chkrootkit source code and creates an executable binary file.

Confirm Chkrootkit Installation and Version

After compilation, verify the installation by running the Chkrootkit command in the terminal:

./chkrootkit -V

Make Chkrootkit Globally Accessible

To make Chkrootkit accessible from anywhere in the system, you need to move the compiled directory to a standard location and create a symbolic link for convenient access.

Move Chkrootkit to Standard System Directory

After compiling Chkrootkit, move the directory to /usr/local/share for better organization. Ensure you are in the parent directory of chkrootkit-{your-version-number}, then execute:

sudo mv chkrootkit-{your-version-number} /usr/local/share/chkrootkit

As a result, this relocates the Chkrootkit directory to a common location for storing shared application data.

Create Symbolic Link for Global Access

Next, create a symbolic link in /usr/local/bin to run Chkrootkit from anywhere without navigating to its directory:

sudo ln -s /usr/local/share/chkrootkit/chkrootkit /usr/local/bin/chkrootkit

As a result, this creates a symbolic link pointing to the actual Chkrootkit executable in /usr/local/share/chkrootkit.

Verify Global Accessibility

Finally, test that Chkrootkit is globally accessible by checking its version from any directory:

chkrootkit -V

Running Security Scans with Chkrootkit

Run a Comprehensive System Scan

Once Chkrootkit is installed, scan your system to detect any rootkits by running:

sudo chkrootkit

This initiates a comprehensive scan of your system, searching for potential rootkits, worms, and trojans. Alternatively, for more concise output that displays only potential issues, use the quiet mode:

sudo chkrootkit -q

Configure Automatic Daily Scanning

To maintain continuous security monitoring, you can enable automatic daily scanning with the APT version of Chkrootkit. First, open the configuration file:

sudo nano /etc/chkrootkit/chkrootkit.conf

Once the file opens, locate the line containing RUN_DAILY and verify its value is set to TRUE. By default, this should already be enabled:

After confirming the setting, save the changes by pressing CTRL+O and exit the editor with CTRL+X.

View Available Chkrootkit Commands and Options

To explore the full range of Chkrootkit commands and options, access the help menu:

chkrootkit -h

Alternatively, access the comprehensive manual page:

man chkrootkit

Understanding Chkrootkit Scan Output

Chkrootkit reports findings using specific status messages that indicate the security state of each checked component. Therefore, understanding these messages helps you distinguish genuine threats from false alarms and determine when further investigation is needed.

Common Status Messages and Their Meanings

Each scan produces status messages for tested components. The most common outputs include:

• INFECTED: The test detected a potential rootkit signature or suspicious modification. Investigate immediately by checking file hashes, reviewing process details, and comparing against clean baseline systems.
• not found: The tested file or process does not exist on your system. This is normal when scanning for rootkits that target specific services you don’t run.
• nothing found: The scan completed successfully without detecting suspicious activity. Your system passed this specific test.
• not tested: Chkrootkit skipped this check because required dependencies are missing or the test doesn’t apply to your system configuration.

When to Investigate INFECTED Findings

Chkrootkit occasionally reports false positives, particularly for legitimate system utilities that behave similarly to rootkit tools. Common false positives include /usr/sbin/unhide.rb (part of the unhide package) and .lwp-request (Perl web client). Therefore, before assuming a compromise, verify findings through multiple methods:

• Check file package ownership with dpkg -S /path/to/file to confirm it belongs to a legitimate Ubuntu package
• Compare file hashes against known-good systems or package repositories using debsums
• Review file timestamps and permissions for unexpected modifications
• Cross-reference findings with other security tools like ClamAV or rkhunter

If your system does not already include debsums, install it before comparing package checksums:

sudo apt install debsums

Furthermore, if multiple indicators point to compromise, isolate the system from the network immediately, preserve logs for forensic analysis, and consider a clean reinstallation from verified media.

Troubleshooting Common Issues

Handling False Positive Detections

Chkrootkit frequently flags /usr/sbin/unhide.rb and .lwp-request as INFECTED due to their behavioral similarity to rootkit tools. Therefore, first, verify these files belong to legitimate packages before dismissing the warnings:

dpkg -S /usr/sbin/unhide.rb
dpkg -S $(which lwp-request)

If the output shows these files belong to the unhide or libwww-perl packages respectively, the detection is a false positive. Furthermore, for persistent false positives in automated scans, consider using the quiet mode with grep filters to exclude known-safe items from alert emails.

Resolving Permission Errors During Scans

Chkrootkit requires root privileges to access system directories and inspect running processes. Therefore, if you encounter permission denied errors, ensure you run the scan with sudo:

sudo chkrootkit

Additionally, for automated daily scans, verify the cron job runs as root by checking /etc/cron.daily/chkrootkit permissions and ownership. The script should be owned by root with executable permissions.

Fixing Missing Build Dependencies for Source Installation

When compiling from source, missing build tools produce compilation errors. Therefore, install all required dependencies before running make sense:

sudo apt install gcc make build-essential

However, if compilation still fails, check that you extracted the archive completely and navigate to the correct directory containing the Makefile. Furthermore, ensure you have sufficient disk space in /tmp for temporary build files.

Managing Scan Performance on Large Systems

On systems with extensive filesystems or numerous running processes, full scans can take several minutes and generate substantial output. Redirect results to a file for easier analysis:

sudo chkrootkit | tee ~/chkrootkit-scan-$(date +%Y%m%d).log

This saves the complete scan output while displaying it in your terminal. As a result, subsequently, search the log file for INFECTED findings without re-running the scan:

grep INFECTED ~/chkrootkit-scan-*.log

Investigating Suspicious Findings in Detail

When Chkrootkit reports INFECTED status, you should gather additional context before concluding a compromise occurred. Check file metadata, compare checksums, and review system logs:

ls -lah /path/to/suspicious/file
stat /path/to/suspicious/file
debsums -c packagename

Next, cross-reference the file modification time with your system’s command history and authentication logs in /var/log/auth.log. If the suspicious file appeared during a known maintenance window, investigate what actions occurred during that period. In addition, for processes flagged as INFECTED, examine their command-line arguments and parent process tree with ps aux and pstree to determine if they originated from legitimate system services.

Conclusion

Chkrootkit delivers effective rootkit detection through signature-based scanning and behavioral analysis without impacting system performance. Moreover, daily automated scans provide continuous security monitoring, while manual checks verify system integrity after suspicious behavior or before production deployments. Finally, layer Chkrootkit with ClamAV antivirus scanning, AppArmor security profiles, and firewall configuration for comprehensive defense-in-depth protection.

Useful Links

Here are some valuable links related to using chkrootkit:

• chkrootkit Official Website: Visit the official chkrootkit website for information about the tool, its features, and latest updates.
• chkrootkit Books: Explore books and resources related to chkrootkit for in-depth understanding and advanced usage.
• chkrootkit GitHub Repository: Access the chkrootkit GitHub repository to view the source code, report issues, and contribute to the development.