How to Install Chkrootkit on Ubuntu (26.04, 24.04, 22.04)

Chkrootkit detects rootkits, worms, and trojans on Linux systems through signature-based scanning and behavioral analysis. Maintained since 1997, this open-source security tool scans for dozens of known rootkit signatures, checks for suspicious kernel modules, and identifies hidden processes or modified system binaries. The lightweight scanner runs on any Linux distribution without impacting system performance and complements other security tools like ClamAV for comprehensive system protection.

This guide shows you how to install Chkrootkit on Ubuntu through APT repositories or source compilation, configure automatic daily scans, run manual security checks to detect potential compromises, and remove the software when no longer needed.

Chkrootkit Installation Requirements

Chkrootkit runs on any Ubuntu system with an internet connection for downloads. All commands require sudo privileges, and the tool uses minimal resources with less than 10MB disk space required for installation.

Chkrootkit Installation Methods Comparison

Ubuntu provides two installation paths for Chkrootkit, each with different trade-offs between convenience and version recency:

Method	Version	Best For	Update Path
APT Repository	0.55 (22.04) / 0.58b (24.04/26.04)	Most users; automatic updates via APT	sudo apt upgrade
Source Compilation	0.59 (latest)	Users needing newest rootkit signatures	Manual re-download and compile

This guide covers Ubuntu 26.04 LTS, 24.04 LTS, and 22.04 LTS. Ubuntu 22.04 ships with an older chkrootkit version (0.55) that lacks some newer rootkit detections present in version 0.58b and later. If you need the latest signatures, consider the source compilation method which provides version 0.59. Commands shown work identically across all supported LTS releases.

Method 1: Install Chkrootkit via Ubuntu’s Default Repository

Verify Chkrootkit Installation Status

Before proceeding with the installation, confirm whether Chkrootkit already exists on your system:

chkrootkit -V

If the command returns a version number, the package is already installed and you can skip to the scanning section. However, a command not found response means you can proceed with the installation steps below.

Update System Package Lists

Before installing Chkrootkit, update the package lists on your system to ensure you have the latest information about available packages. First, open a terminal and run the following command:

sudo apt update

This command fetches the latest package information from the repositories so that APT installs the newest chkrootkit build available to your release without modifying the rest of your system.

Install Chkrootkit via APT Command

Once your system is updated, install Chkrootkit using the APT package manager with the following command:

sudo apt install chkrootkit

This installs the Chkrootkit package along with the necessary tools and scripts to detect rootkits on your system.

During installation, you may see prompts to configure a mail server (Postfix or similar) since chkrootkit installs mail utilities as dependencies for sending automated security alerts. You can safely select “No configuration” or press Tab to highlight “OK” and continue without setting up email. Manual scans with sudo chkrootkit work perfectly without any mail configuration.

Alternatively, install Chkrootkit without interactive prompts using the non-interactive mode:

sudo DEBIAN_FRONTEND=noninteractive apt install -y chkrootkit

This method skips all configuration dialogs and installs with default settings, which is ideal for automated deployments or when you want to avoid mail server setup entirely.

Confirm Chkrootkit Installation and Version

After installation, verify the installation was successful by running the version command:

chkrootkit -V

The output confirms the installed version:

chkrootkit version 0.58b

Ubuntu 22.04 users will see version 0.55 instead, which is the version packaged for that release.

Method 2: Install Chkrootkit via Source Compilation

Install Build Dependencies

Before downloading, install the necessary build tools including GCC and the make utility:

sudo apt install gcc make build-essential wget

Download the Chkrootkit Source Code

Download the latest chkrootkit source archive from the official FTP server. Create a build directory and download the archive:

mkdir -p ~/chkrootkit-build && cd ~/chkrootkit-build
wget ftp://ftp.chkrootkit.org/pub/seg/pac/chkrootkit.tar.gz

Extract the Chkrootkit Source Archive

Extract the source code archive:

tar -xvzf chkrootkit.tar.gz

This creates a versioned directory (for example, chkrootkit-0.59) containing the source files.

Compile Chkrootkit

Navigate to the extracted directory and compile the C programs. The directory name includes the version number, so use shell expansion to enter it:

cd chkrootkit-*/
make sense

The make sense target compiles all the helper binaries (chklastlog, chkwtmp, chkproc, and others) that chkrootkit uses to perform its checks:

cc -DHAVE_LASTLOG_H -o chklastlog chklastlog.c
cc -DHAVE_LASTLOG_H -o chkwtmp chkwtmp.c
cc  -o chkproc chkproc.c
cc  -o chkdirs chkdirs.c
cc  -o check_wtmpx check_wtmpx.c
cc -static  -o strings-static strings.c
cc  -o chkutmp chkutmp.c

Verify Local Compilation

After compilation, verify the build was successful by running chkrootkit from the current directory:

./chkrootkit -V

The output confirms the source version is newer than the APT package:

chkrootkit version 0.59

Make Chkrootkit Globally Accessible

To run chkrootkit from any directory, move the compiled installation to a system location and create a symbolic link. First, return to the build directory and move the chkrootkit folder:

cd ~/chkrootkit-build
sudo mv chkrootkit-*/ /usr/local/share/chkrootkit

Create a symbolic link in /usr/local/bin so you can run chkrootkit without specifying the full path:

sudo ln -sf /usr/local/share/chkrootkit/chkrootkit /usr/local/bin/chkrootkit

Verify Global Installation

Confirm chkrootkit is accessible from any directory:

chkrootkit -V

Expected output:

chkrootkit version 0.59

Running Security Scans with Chkrootkit

Run a Comprehensive System Scan

Once Chkrootkit is installed, scan your system to detect any rootkits by running:

sudo chkrootkit

This initiates a comprehensive scan of your system, searching for potential rootkits, worms, and trojans. Alternatively, for more concise output that displays only potential issues, use the quiet mode:

sudo chkrootkit -q

Configure Automatic Daily Scanning

To maintain continuous security monitoring, you can enable automatic daily scanning with the APT version of Chkrootkit. First, open the configuration file:

sudo nano /etc/chkrootkit/chkrootkit.conf

Once the file opens, locate the line containing RUN_DAILY and verify its value is set to true. The relevant section looks like this:

## Whether the daily cron job should run chkrootkit at all
# true/false, default: true
RUN_DAILY="true"

## Arguments to pass to chkrootkit (default: "").
# See chkrootkit(1) for details, but particularly useful are
#  "-q" (especially useful if you set DIFF_MODE=false above )
#  "-e" and "-s" (which are yet another way to hide output)
RUN_DAILY_OPTS=""

After confirming or modifying the setting, save the changes by pressing CTRL+O and exit the editor with CTRL+X.

To explore the available chkrootkit options, view the help menu:

chkrootkit -h

The help output displays all available flags:

Usage: /usr/sbin/chkrootkit [options] [test ...]
Options:
        -h                show this help and exit
        -V                show version information and exit
        -l                show available tests and exit
        -d                debug
        -q                quiet mode
        -x                expert mode
        -e 'FILE1 FILE2'  exclude files/dirs from results
        -s REGEXP         filter sniffer test results
        -r DIR            use DIR as the root directory
        -p DIR1:DIR2:DIRN path for external commands
        -n                skip NFS mount points
        -T FSTYPE         skip mount points of specified type

For more detailed documentation, access the manual page:

man chkrootkit

The manual page provides comprehensive documentation on all tests chkrootkit performs, command-line options, and detailed explanations of each check. Press q to exit the manual page viewer.

Understanding Chkrootkit Scan Output

Chkrootkit reports findings using specific status messages that indicate the security state of each checked component. Understanding these messages helps you distinguish genuine threats from false alarms and determine when further investigation is needed.

Common Status Messages and Their Meanings

Each scan produces status messages for tested components. The most common outputs include:

• INFECTED: The test detected a potential rootkit signature or suspicious modification. Investigate immediately by checking file hashes, reviewing process details, and comparing against clean baseline systems.
• not found: The tested file or process does not exist on your system. This is normal when scanning for rootkits that target specific services you don’t run.
• nothing found: The scan completed successfully without detecting suspicious activity. Your system passed this specific test.
• not tested: Chkrootkit skipped this check because required dependencies are missing or the test doesn’t apply to your system configuration.

When to Investigate INFECTED Findings

Chkrootkit occasionally reports false positives, particularly for legitimate system utilities that behave similarly to rootkit tools. Common false positives include /usr/sbin/unhide.rb (part of the unhide package) and .lwp-request (Perl web client). Before assuming a compromise, verify findings through multiple methods:

• Check file package ownership with dpkg -S /path/to/file to confirm it belongs to a legitimate Ubuntu package
• Compare file hashes against known-good systems or package repositories using debsums
• Review file timestamps and permissions for unexpected modifications
• Cross-reference findings with other security tools like ClamAV or rkhunter

If your system does not already include debsums, install it before comparing package checksums:

sudo apt install debsums

If multiple indicators point to compromise, isolate the system from the network immediately, preserve logs for forensic analysis, and consider a clean reinstallation from verified media.

Troubleshooting Common Issues

Handling False Positive Detections

Chkrootkit frequently flags /usr/sbin/unhide.rb and .lwp-request as INFECTED due to their behavioral similarity to rootkit tools. Verify these files belong to legitimate packages before dismissing the warnings:

dpkg -S /usr/sbin/unhide.rb
dpkg -S $(which lwp-request)

If the output shows these files belong to the unhide or libwww-perl packages respectively, the detection is a false positive. For persistent false positives in automated scans, consider using the quiet mode with grep filters to exclude known-safe items from alert emails.

Resolving Permission Errors During Scans

Chkrootkit requires root privileges to access system directories and inspect running processes. If you encounter permission denied errors, run the scan with sudo:

sudo chkrootkit

For automated daily scans, verify the cron job runs as root by checking /etc/cron.daily/chkrootkit permissions and ownership. The script should be owned by root with executable permissions.

Fixing Missing Build Dependencies for Source Installation

When compiling from source, missing build tools produce compilation errors. Install all required dependencies before running make sense:

sudo apt install gcc make build-essential

If compilation still fails, check that you extracted the archive completely and are in the correct directory containing the Makefile. Verify you have sufficient disk space in /tmp for temporary build files.

Managing Scan Performance on Large Systems

On systems with extensive filesystems or numerous running processes, full scans can take several minutes and generate substantial output. Redirect results to a file for easier analysis:

sudo chkrootkit | tee ~/chkrootkit-scan-$(date +%Y%m%d).log

This saves the complete scan output while displaying it in your terminal. You can then search the log file for INFECTED findings without re-running the scan:

grep INFECTED ~/chkrootkit-scan-*.log

Investigating Suspicious Findings in Detail

When Chkrootkit reports INFECTED status, you should gather additional context before concluding a compromise occurred. Check file metadata, compare checksums, and review system logs:

ls -lah /path/to/suspicious/file
stat /path/to/suspicious/file
debsums -c packagename

Next, cross-reference the file modification time with your system’s command history and authentication logs in /var/log/auth.log. If the suspicious file appeared during a known maintenance window, investigate what actions occurred during that period. For processes flagged as INFECTED, examine their command-line arguments and parent process tree with ps aux and pstree to determine if they originated from legitimate system services.

Update Chkrootkit Source Installation

If you installed chkrootkit from source, you need to manually update it when new versions are released. The following script automates this process by downloading the latest source, compiling it, and replacing your existing installation:

cat <<'EOF' | sudo tee /usr/local/bin/update-chkrootkit
#!/bin/bash
# Chkrootkit source update script
# Downloads, compiles, and installs the latest version

set -e

# Check for required build tools
if ! command -v make &>/dev/null || ! command -v gcc &>/dev/null; then
    echo "Error: Build tools (gcc, make) not found. Install with:"
    echo "  sudo apt install gcc make build-essential"
    exit 1
fi

# Create temporary build directory
BUILD_DIR=$(mktemp -d)
cd "$BUILD_DIR"

echo "Downloading latest chkrootkit source..."
wget -q ftp://ftp.chkrootkit.org/pub/seg/pac/chkrootkit.tar.gz

echo "Extracting archive..."
tar -xzf chkrootkit.tar.gz
cd chkrootkit-*/

# Get the version we downloaded
NEW_VERSION=$(./chkrootkit -V 2>&1 | grep -oP 'version \K[0-9.]+')

# Check current installed version
if command -v chkrootkit &>/dev/null; then
    CURRENT_VERSION=$(chkrootkit -V 2>&1 | grep -oP 'version \K[0-9.]+')
    if [ "$CURRENT_VERSION" = "$NEW_VERSION" ]; then
        echo "Already running latest version ($CURRENT_VERSION). No update needed."
        rm -rf "$BUILD_DIR"
        exit 0
    fi
    echo "Updating from $CURRENT_VERSION to $NEW_VERSION..."
else
    echo "Installing chkrootkit $NEW_VERSION..."
fi

echo "Compiling..."
make sense

echo "Installing to /usr/local/share/chkrootkit..."
sudo rm -rf /usr/local/share/chkrootkit
sudo mv "$BUILD_DIR"/chkrootkit-*/ /usr/local/share/chkrootkit
sudo ln -sf /usr/local/share/chkrootkit/chkrootkit /usr/local/bin/chkrootkit

# Cleanup
rm -rf "$BUILD_DIR"

echo "Update complete. Installed version:"
chkrootkit -V
EOF
sudo chmod +x /usr/local/bin/update-chkrootkit

Run the update script whenever you want to check for and install newer versions:

sudo update-chkrootkit

Do not automate this script via cron. Source compilation can fail for various reasons (network issues, missing dependencies, upstream changes), and failures should be addressed manually. Run the update script periodically when you want to ensure you have the latest rootkit signatures.

Remove Chkrootkit

If you no longer need chkrootkit, remove it using the method that matches your installation.

Remove APT Installation

Remove chkrootkit and its configuration files:

sudo apt remove --purge chkrootkit

Clean up any dependencies that were installed automatically and are no longer needed:

sudo apt autoremove

Optionally, remove any scan logs you created:

rm -f ~/chkrootkit-scan-*.log

Remove Source Installation

Remove the installed files and symbolic link:

sudo rm -rf /usr/local/share/chkrootkit
sudo rm -f /usr/local/bin/chkrootkit
sudo rm -f /usr/local/bin/update-chkrootkit

Clean up the build directory if it still exists:

rm -rf ~/chkrootkit-build

Verify removal by confirming the command is no longer available:

chkrootkit -V

Expected output after removal:

bash: chkrootkit: command not found

Frequently Asked Questions

Conclusion

Chkrootkit delivers effective rootkit detection through signature-based scanning and behavioral analysis without impacting system performance. Daily automated scans provide continuous security monitoring, while manual checks verify system integrity after suspicious behavior or before production deployments. For comprehensive defense-in-depth protection, layer chkrootkit with ClamAV antivirus scanning, Fail2Ban intrusion prevention, AppArmor security profiles, and UFW firewall configuration.

Useful Links

For additional information about chkrootkit:

• Chkrootkit Official Website: Official project homepage with downloads, documentation, and release information.
• Chkrootkit FAQ: Frequently asked questions about rootkit detection and common issues.
• Chkrootkit in Books and Papers: Academic papers and security books referencing chkrootkit methodology.