← 返回命令列表

Linux command

chkrootkit 命令

安全

权限或系统影响较大,执行前请核对目标。

常用示例

Scan system for rootkits

sudo chkrootkit

Quiet mode (show infections only)

sudo chkrootkit -q

Expert mode with more details

sudo chkrootkit -x

Use alternate root directory

sudo chkrootkit -r [/mnt/system]

Test specific check

sudo chkrootkit [chkwtmp]

List available tests

chkrootkit -l

说明

chkrootkit locally checks for signs of rootkits on a system. It examines system binaries for known modifications, checks for deleted log entries, detects loadable kernel module (LKM) trojans, and identifies promiscuous network interfaces. The tool works by comparing system binaries against known signatures of rootkit modifications and by running a series of tests that look for common rootkit behaviors. It can detect over 70 known rootkits and worms. For best results, it should be run from trusted binaries on a clean system or live CD, since a compromised system's tools may hide infections.

参数

-q
Quiet mode, show infections only
-x
Expert mode: outputs raw strings from analyzed binary files for manual inspection
-e
Exclude known false positive files/directories
-r _dir_
Use alternate root directory
-p _dir1:dir2_
Custom path for binaries
-l
List available tests
-n
Skip NFS mounted directories

FAQ

What is the chkrootkit command used for?

chkrootkit locally checks for signs of rootkits on a system. It examines system binaries for known modifications, checks for deleted log entries, detects loadable kernel module (LKM) trojans, and identifies promiscuous network interfaces. The tool works by comparing system binaries against known signatures of rootkit modifications and by running a series of tests that look for common rootkit behaviors. It can detect over 70 known rootkits and worms. For best results, it should be run from trusted binaries on a clean system or live CD, since a compromised system's tools may hide infections.

How do I run a basic chkrootkit example?

Run `sudo chkrootkit` in a terminal, then adjust file names, paths, flags, or remote targets for your system.

What does -q do in chkrootkit?

Quiet mode, show infections only