Monday, January 08, 2007

Checking for rootkits

The term "rootkit" (also written as "root kit") originally referred to a set of recompiled Unix tools such as "ps", "netstat", "w" and "passwd" that would carefully hide any trace of the intruder that those commands would normally display, thus allowing the intruders to maintain "root" on the system without the system administrator even seeing them.

Generally now the term is not restricted to Unix-based operating systems, as tools that perform a similar set of tasks now exist for non-Unix operating systems such as Microsoft Windows, regardless of the existence (or lack of existence) of a "root" in the operating system. (

In Linux, you can check for rootkits using 2 different programs

1. chkrootkit
2. rkhunter


One of the popular rootkit checking programs, this program can check for any
rootkits installed on your local machine

On Ubuntu/Debian

sudo apt-get install chkrootkit

Download from


rkhunter does what chkrootkit does plus a whole lot more.

rkhunter can also be updated with the latest definitions and can be run
through cron as well.

On Ubuntu/Debian

sudo apt-get install rkhunter

Download from

No comments: