Search our site for answers
Help Docs Security Overview Rootkit Detection What is chkrootkit?

What is chkrootkit?

chkrootkit scans Linux systems for rootkits and hidden threats. Use it to detect suspicious activity and verify system integrity.
Applications Security Server Management
3 min read

chkrootkit is a security tool designed to scan your Linux system for signs of rootkits—malicious software that can provide unauthorized access to a system while hiding its presence. Think of chkrootkit as a digital security guard that checks your system for hidden threats.

Why use chkrootkit?

Rootkits can be stealthy and hard to detect with standard antivirus tools. chkrootkit helps identify suspicious files, system binaries, and processes that may have been tampered with. It’s especially useful if you suspect your server has been compromised or want to regularly audit your system for safety.

How to install chkrootkit

There are two ways to install chkrootkit on your system:

Option 1: Install via lp package

If you’re using our hosting environment with lp package support, just run:

lpyum install lp-chkrootkit

Option 2: Install from source

For manual installation, download the latest version from the official site:

http://www.chkrootkit.org/download/

Then follow the usual steps to compile and install from source.

How to run chkrootkit

To start a basic system check, open your terminal and run:

chkrootkit

If that command doesn’t work, try the full path:

/usr/local/lp/apps/security/chkrootkit/chkrootkit

Expert Mode

For a more in-depth analysis that checks binaries for suspicious strings (often signs of a trojan), use:

chkrootkit -x | more

To show only full pathnames found in system commands:

chkrootkit -x | egrep '^/'

Using trusted binaries and custom paths

chkrootkit uses several standard system commands like ps, ls, netstat, egrep, and strings. If you suspect your system’s core binaries are compromised, you can point chkrootkit to a trusted source:

chkrootkit -p /cdrom/bin

Or, mount the potentially compromised disk onto a trusted machine and scan it like this:

chkrootkit -r /mnt

Understanding false positives

It’s common for chkrootkit to report false positives. Here are a few examples:

  • bindshell INFECTED (PORTS: 465) This may appear if programs like Portsentry are running—they bind to unused ports and can trigger a false alert.
  • find: /proc/[PID]/task: No such file or directory This message appears when a process ends while chkrootkit is scanning. It’s typically harmless.
  • chkproc: Warning: Possible LKM Trojan installed This warning means a mismatch between the output of ps and what chkrootkit sees in /proc. Again, this can happen during normal system activity.

If you’re unsure whether something is a real threat or not, reach out to our Support Team—we’re here to help!

Final tips

  • Run chkrootkit regularly as part of your server maintenance routine.
  • Use it alongside other security tools like rkhunter and intrusion detection systems for better protection.
  • Always follow up on suspicious results by consulting our support team.
Was this article helpful?