chkrootkit (Check Rootkit) is a common Unix based program intented to help system administrators check their system for known rootkits. It is basically a shell script using common UNIX/Linux tools like strings and grep commands to check core system programs for signatures. If you doubt that your server has been hacked, chkrootkit is what you need to run.

Chkrootkit’s installation is very easy. I am describing the steps below.

1. Ssh to the server as ‘root’, and then wget the chkrootkit from its FTP location.

wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

2. Unpack the tarball in the current directory.

tar xvzf chkrootkit.tar.gz

3. Go to the directory newly created, and compile the script.

cd chkrootkit*
make sense

4. Once the compilation is complete, use the below command to execute chkrootkit.

./chkrootkit

NOTE: Make sure that you have gcc and make on the server or else the installation will fail 🙁

At this point, I would suggest that you set a crontab to execute this chkrootkit daily. You can even have the results sent to you via email.

For that, create a file /etc/cron.daily/chkrootkit.sh

Insert the following to the new file and save it:

#!/bin/bash
cd /yourinstallpath/chkrootkit-0.42b/
./chkrootkit | mail -s "Daily chkrootkit from Servername" admin@youremail.com

1. Replace ‘yourinstallpath’ with the actual path to where you unpacked Chkrootkit.
2. Change ‘Servername’ to the server your running so you know where it’s coming from.
3. Change ‘admin@youremail.com’ to your actual email address where the script will mail you.

Change the file permissions so that it can execute:

chmod 755 /etc/cron.daily/chkrootkit.sh

You will receive daily chkrootkit reports on your email address from now on.