Rootkit checks are most useful when they run before a suspicious system becomes your only source of truth. To install Chkrootkit on Ubuntu, start with the package in Ubuntu’s Universe repository, then decide whether the upstream source build is worth the manual update burden. Chkrootkit looks for known rootkit signatures, hidden-process symptoms, suspicious binaries, and network-interface warnings, but its results still need careful review because false positives are common.
Ubuntu 26.04 LTS (resolute) and 24.04 LTS (noble) currently package Chkrootkit 0.58b, while Ubuntu 22.04 LTS (jammy) packages 0.55. The official Chkrootkit website publishes the current upstream 0.59 source tarball at its official download page, but the project site does not present GitHub as the installation source. Avoid random GitHub mirrors or install scripts unless you have independently audited them.
Install Chkrootkit on Ubuntu
The Ubuntu package is the safest default for most systems because APT handles package signing, dependency tracking, daily-scan integration, and future updates. The package name is chkrootkit, not chrootkit or checkrootkit.
Refresh the package index first:
sudo apt updateThese commands use
sudofor package installation and system-wide configuration. If your account does not have administrator access yet, use a root shell or follow the guide to add a new user to sudoers on Ubuntu before continuing.
Install the Ubuntu repository package:
sudo apt install chkrootkitChkrootkit is in Ubuntu’s Universe component. If APT cannot locate the package on a minimal or customized system, enable Universe first with the Ubuntu Universe and Multiverse repository guide, then run
sudo apt updateagain.
On Ubuntu 26.04 and 24.04, the default install may also pull in a mail transport agent and mail utilities as recommended packages so daily scan reports can mail root. If a Postfix configuration screen appears, choose No configuration unless you already know how you want local mail delivery handled. For noninteractive deployments, this command accepts package defaults instead of opening prompts:
sudo DEBIAN_FRONTEND=noninteractive apt install -y chkrootkitVerify the installed version:
chkrootkit -VUbuntu 26.04 and 24.04 return a 0.58b build:
chkrootkit version 0.58b
Ubuntu 22.04 returns the older packaged branch:
chkrootkit version 0.55
Compare Chkrootkit Install Methods
Use the APT package unless you specifically need the current upstream source release. Source builds are useful for version recency, but they bypass Ubuntu’s normal package update and removal tracking.
| Method | Current Version | Best Fit | Tradeoff |
|---|---|---|---|
| Ubuntu APT package | 0.58b-6build1 on 26.04, 0.58b-1 on 24.04, 0.55-4 on 22.04 | Most desktops, servers, and routine monitoring setups | Uses Ubuntu’s Universe package and APT updates, but may lag upstream |
| Upstream source build | 0.59 from the official Chkrootkit tarball | Users who need the newest upstream checks and accept manual maintenance | Downloads from the upstream FTP source tarball, uses only an MD5 integrity file, and can shadow the APT binary through /usr/local/bin |
Build Chkrootkit from Source
The upstream source method installs outside APT. Pick either the Ubuntu package or the source build for normal use, because a source symlink in /usr/local/bin usually takes precedence over the packaged binary in /usr/sbin.
Install the build tools first:
sudo apt install gcc make build-essential wgetCreate a build directory, download the official tarball with the wget command, and download the upstream MD5 file beside it. The MD5 check helps catch a bad transfer, but it is not a modern package-signing substitute.
mkdir -p ~/chkrootkit-build
cd ~/chkrootkit-build
wget ftp://ftp.chkrootkit.org/pub/seg/pac/chkrootkit.tar.gz
wget ftp://ftp.chkrootkit.org/pub/seg/pac/chkrootkit.md5
md5sum -c chkrootkit.md5A matching download returns:
chkrootkit.tar.gz: OK
Extract the archive and compile the helper programs:
tar -xzf chkrootkit.tar.gz
cd chkrootkit-*/
make senseRelevant build output includes the helper binaries Chkrootkit uses for lastlog, wtmp, process, and directory checks:
cc -DHAVE_LASTLOG_H -o chklastlog chklastlog.c cc -DHAVE_LASTLOG_H -o chkwtmp chkwtmp.c cc -o chkproc chkproc.c cc -o chkdirs chkdirs.c cc -o check_wtmpx check_wtmpx.c cc -static -o strings-static strings.c cc -o chkutmp chkutmp.c
Verify the source build before installing it globally:
./chkrootkit -Vchkrootkit version 0.59
Install the compiled tree under /usr/local/share/chkrootkit, then create a symbolic link on Ubuntu so the command is available from your normal shell:
cd ~/chkrootkit-build
sudo rm -rf /usr/local/share/chkrootkit
sudo install -d -m 0755 /usr/local/share/chkrootkit
sudo cp -a chkrootkit-*/. /usr/local/share/chkrootkit/
sudo ln -sf /usr/local/share/chkrootkit/chkrootkit /usr/local/bin/chkrootkitConfirm your shell now resolves the source-installed command:
command -v chkrootkit
chkrootkit -V/usr/local/bin/chkrootkit chkrootkit version 0.59
Run Chkrootkit Scans on Ubuntu
Run a full manual scan with root privileges:
sudo chkrootkitFor day-to-day checks, quiet mode is usually easier to review because it prints only findings and warnings instead of every clean test:
sudo chkrootkit -qQuiet output is not guaranteed to be empty on a clean system. Package-owned .build-id paths, desktop network managers, wtmp history gaps, and other normal Ubuntu behavior can appear as suspicious until you verify the context.
WARNING: The following suspicious files and directories were found: /usr/lib/debug/.build-id WARNING: Output from ifpromisc: enp0s3: PACKET SNIFFER(/usr/sbin/NetworkManager[pid])
If a scan reports a missing helper such as pstree, install the package that provides it and rerun the scan. On Ubuntu, pstree comes from psmisc:
sudo apt install psmiscConfigure Automatic Chkrootkit Scans
The APT package enables automatic daily scanning by default. Ubuntu 26.04 and 24.04 install a systemd timer, while Ubuntu 22.04 uses the packaged cron job in /etc/cron.daily/chkrootkit.
On Ubuntu 26.04 and 24.04, verify the timer state:
systemctl is-enabled chkrootkit.timer
systemctl is-active chkrootkit.timerenabled active
On Ubuntu 22.04, confirm the cron script exists and is executable:
ls -l /etc/cron.daily/chkrootkit-rwxr-xr-x 1 root root [size varies] [date varies] /etc/cron.daily/chkrootkit
Edit the configuration file to control daily scan behavior:
sudo nano /etc/chkrootkit/chkrootkit.confThe main settings are:
RUN_DAILY="true" RUN_DAILY_OPTS="" DIFF_MODE="true" IGNORE_FILE="/etc/chkrootkit/chkrootkit.ignore" MAILTO="root"
RUN_DAILY="true"keeps the packaged daily scan enabled.RUN_DAILY_OPTS="-q"makes daily reports quieter by showing only warnings and findings.DIFF_MODE="true"compares each run against/var/log/chkrootkit/log.expectedso changes stand out.IGNORE_FILEpoints to patterns you have reviewed and intentionally excluded from daily output.MAILTO="root"relies on local mail delivery. Leave it empty if you do not want the daily job to attempt email delivery.
The first daily run may report that /var/log/chkrootkit/log.expected does not exist. Review /var/log/chkrootkit/log.today first, then create the baseline only if the output matches your expected clean state:
sudo less /var/log/chkrootkit/log.today
sudo cp -a /var/log/chkrootkit/log.today /var/log/chkrootkit/log.expectedInterpret Chkrootkit Results
Chkrootkit findings are leads, not final incident-response conclusions. Treat every warning as something to confirm with package ownership, checksums, logs, and another trusted tool before you decide a system is compromised.
- INFECTED: A test matched a known rootkit pattern or suspicious behavior. Investigate immediately, but do not assume the result is definitive.
- not infected: The specific test did not find a known signature.
- not found: The binary, service, or file targeted by the test is absent. This is common for services you do not run.
- not tested: Chkrootkit skipped the check because it did not apply or a helper command was unavailable.
For package-owned files, identify the owning package first:
dpkg -S /path/to/suspicious/fileIf the file belongs to an installed package, install debsums and check whether package-managed files still match their recorded checksums:
sudo apt install debsums
sudo debsums -s package-nameNo output from debsums -s means the checked package files matched the recorded checksums. Any reported file path needs further investigation.
For command-line tools that Chkrootkit commonly flags, confirm package ownership before dismissing the result. For example, lwp-request is normally provided by libwww-perl:
command -v lwp-request
dpkg -S /usr/bin/lwp-request/usr/bin/lwp-request libwww-perl: /usr/bin/lwp-request
A suspected compromise changes the trust model. A rootkit can tamper with commands such as ps, ls, netstat, or strings, which Chkrootkit may rely on during a local scan. For stronger evidence, boot from trusted live media, mount the suspect system read-only, and scan that mounted root with trusted binaries:
sudo chkrootkit -r /mnt/suspect-root
sudo chkrootkit -p /mnt/trusted-bin:/mnt/trusted-sbinChkrootkit and rkhunter overlap but do not perform identical checks. Chkrootkit is lightweight and signature-focused, while rkhunter adds more file-property and configuration checks. Many administrators run more than one scanner, then compare findings with package checksums, system logs, and tools such as ClamAV scanning on Ubuntu.
Update Chkrootkit
For the Ubuntu package, refresh package metadata and upgrade only Chkrootkit if a newer build is available for your release:
sudo apt update
sudo apt install --only-upgrade chkrootkitFor a source installation, create a repeatable updater script under /usr/local/bin. The script downloads the current official tarball and MD5 file, verifies the transfer, builds the helper programs, and replaces only the source-installed tree under /usr/local/share/chkrootkit:
cat <<'EOF' | sudo tee /usr/local/bin/update-chkrootkit > /dev/null
#!/usr/bin/env bash
set -euo pipefail
if [ "$(id -u)" -ne 0 ]; then
echo "Run this updater with sudo."
exit 1
fi
for tool in wget tar make gcc md5sum grep awk; do
if ! command -v "$tool" > /dev/null; then
echo "Missing required tool: $tool"
echo "Install build tools with: sudo apt install gcc make build-essential wget"
exit 1
fi
done
SOURCE_URL="ftp://ftp.chkrootkit.org/pub/seg/pac/chkrootkit.tar.gz"
SUM_URL="ftp://ftp.chkrootkit.org/pub/seg/pac/chkrootkit.md5"
BUILD_DIR="$(mktemp -d)"
BACKUP_DIR="$BUILD_DIR/previous-install"
trap 'rm -rf "$BUILD_DIR"' EXIT
rollback_install() {
rm -rf /usr/local/share/chkrootkit
if [ -d "$BACKUP_DIR" ]; then
mv "$BACKUP_DIR" /usr/local/share/chkrootkit
ln -sf /usr/local/share/chkrootkit/chkrootkit /usr/local/bin/chkrootkit
echo "Restored the previous source-installed chkrootkit tree."
fi
}
cd "$BUILD_DIR"
echo "Downloading chkrootkit source..."
wget -q "$SOURCE_URL" "$SUM_URL"
echo "Verifying upstream MD5 file..."
md5sum -c chkrootkit.md5
tar -xzf chkrootkit.tar.gz
cd chkrootkit-*/
NEW_VERSION="$(awk -F"'" '/^CHKROOTKIT_VERSION=/{print $2; exit}' chkrootkit)"
if [ -z "$NEW_VERSION" ]; then
echo "Could not detect the downloaded chkrootkit version."
exit 1
fi
CURRENT_VERSION=""
if [ -x /usr/local/share/chkrootkit/chkrootkit ]; then
CURRENT_VERSION="$(/usr/local/share/chkrootkit/chkrootkit -V 2>&1 | grep -oE 'version [0-9.]+[[:alnum:]]*' | awk '{print $2}' || true)"
fi
if [ -n "$CURRENT_VERSION" ] && [ "$CURRENT_VERSION" = "$NEW_VERSION" ]; then
echo "Source-installed Chkrootkit $CURRENT_VERSION is already current."
exit 0
fi
echo "Building chkrootkit $NEW_VERSION..."
make sense
echo "Installing to /usr/local/share/chkrootkit..."
if [ -d /usr/local/share/chkrootkit ]; then
mv /usr/local/share/chkrootkit "$BACKUP_DIR"
fi
install -d -m 0755 /usr/local/share/chkrootkit
if ! cp -a . /usr/local/share/chkrootkit/; then
echo "Install copy failed."
rollback_install
exit 1
fi
ln -sf /usr/local/share/chkrootkit/chkrootkit /usr/local/bin/chkrootkit
VERIFY_VERSION="$(/usr/local/share/chkrootkit/chkrootkit -V 2>&1 | grep -oE 'version [0-9.]+[[:alnum:]]*' | awk '{print $2}' || true)"
if [ "$VERIFY_VERSION" != "$NEW_VERSION" ]; then
echo "Installed chkrootkit failed its version check."
rollback_install
exit 1
fi
rm -rf "$BACKUP_DIR"
echo "Installed version:"
chkrootkit -V 2>&1 || true
EOF
sudo chmod 0755 /usr/local/bin/update-chkrootkitThe final chmod command makes the helper executable. Since the script is installed in /usr/local/bin, you can run it from any terminal directory.
Run the updater manually when you want to check for a newer upstream source release:
sudo update-chkrootkitA first source-install run ends with output similar to this trimmed example:
Downloading chkrootkit source... Verifying upstream MD5 file... chkrootkit.tar.gz: OK Building chkrootkit 0.59... Installing to /usr/local/share/chkrootkit... Installed version: chkrootkit version 0.59
If the source-installed tree is already current, the updater exits without replacing it:
Source-installed Chkrootkit 0.59 is already current.
Do not run source-build updates from cron. Network failures, changed upstream archives, or compiler errors need manual review, especially for a security scanner.
Remove Chkrootkit
Use the removal path that matches how you installed Chkrootkit.
Remove the Ubuntu APT Package
Remove the package and its registered configuration files:
sudo apt remove --purge chkrootkitVerify that the package is no longer installed:
dpkg -l chkrootkit | grep '^ii' || echo "chkrootkit is not installed"chkrootkit is not installed
If APT says some dependencies are no longer required, preview the cleanup before confirming it. Reused systems can have unrelated old kernels or desktop helpers marked autoremovable.
sudo apt autoremove --dry-runOnly run the real cleanup if the preview shows packages you actually want to remove:
sudo apt autoremoveRemove a Source Installation
The following commands permanently delete the source-installed Chkrootkit tree, the update helper, and the local build directory used in this article. Keep a backup first if you modified any source files or local scripts under those paths.
sudo rm -rf /usr/local/share/chkrootkit
sudo rm -f /usr/local/bin/chkrootkit
sudo rm -f /usr/local/bin/update-chkrootkit
rm -rf ~/chkrootkit-buildClear your shell’s command cache, then confirm the source-installed command no longer resolves:
hash -r
command -v chkrootkit || echo "chkrootkit command not found"chkrootkit command not found
Conclusion
Chkrootkit is installed on Ubuntu with either APT-managed daily scanning or a source-built 0.59 tree for manual maintenance. Use it as one layer in a broader security workflow: compare findings with package checksums, keep Fail2Ban intrusion prevention on Ubuntu for exposed services, and review UFW firewall rules on Ubuntu before opening new network paths.
This doesnt help at all. When I install chroot it immediately tries to set up some mail server configuration. What does email have to do with this?
Hi Jo,
Thanks for the feedback. The mail server configuration prompt appears because
chkrootkitinstallsmailutilsor a similar package as a dependency to send security alerts. You don’t need to configure email to use chkrootkit for manual scans.Skip the mail configuration by selecting “No configuration” when prompted, or press Tab to highlight “OK” and continue without setting up a mail server. You can run manual scans with
sudo chkrootkitand view results directly in your terminal without any email setup.To avoid the mail configuration prompts entirely during installation, use:
This installs chkrootkit without interactive prompts. The guide has been updated to clarify this behavior in the installation section.