Secure OS Software for Linux
Showing results for 
Search instead for 
Did you mean: 

check for rootkits

Go to solution
Super Advisor

check for rootkits


howto check my debian server for rootkits ?
I have clamav installed, but I'm not sure if clamav could find rootkits.

kind regards
Ivan Ferreira
Honored Contributor

Re: check for rootkits

Try with:
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Ivan Krastev
Honored Contributor

Re: check for rootkits

Try :

apt-get install chkrootkit

Ivan Krastev
Honored Contributor

Re: check for rootkits

Oops and one more:

apt-get install rkhunter

Trusted Contributor

Re: check for rootkits

rkhunter definitely looks better than chkrootkit. After the apt-get install do a
'rkhunter --update' if net connected.
Debian GNU/Linux for the Enterprise! Ask HP ...
Valued Contributor

Re: check for rootkits

A normal manual way of checking is using netstat to see if you have any wierd ports listening for connections. And i usually find the time to check my ps aux and see if anything obvious shows up (even thou it's not that hard to cloak a process :P).
Also check the writeable directories (for non superusers) for files that could be executed.

But if you're this paranoid about being hacked I would suggest you look into GRSEC-kernel or the like.
TPE is a wonderful way to stop users from doing things you don't want them to :P

Best regards
Fredrik Eriksson
Fred K. Abell Jr._1
Regular Advisor

Re: check for rootkits

If you have been rooted, then getting a program to run on the system may not give you the information your want, especially if it is a kernel based rootkit. Rootkits will rewrite commands like ls, netstat, ps, lsof, etc to hide the output that would give the rootkit away. For instance, if lsof was installed, the rootkit may filter lsof's output to hide any listening ports.

On a known safe machine, create a CD with the binaries you want to use to inspect your system for unusual activity. A very nice pocket reference guide can be downloaded from to help you find indication of an intrusion.

Also, Trendmicro's housecall program can do an online scan of Linux distributions that support libc6. It may help, but I have never tried it on a Linux box.

Good luck, a well done rootkit can be hard to find.
Don Mallory
Trusted Contributor

Re: check for rootkits

I have to agree with Fred. Unless you have built this prior to being rootkitted, you must treat the system as hacked.

Another tool for finding hidden ports is "unhide".

Add to the rkhunter, chrootkit, AIDE and auditd, then send the logs to rsyslog, OSSEC or Snort.

Checking the host with netstat and ps -ef, if already rootkitted won't help, especially if you don't have a baseline of what the host should be set to. You could also check teh host locally with these tools on a regular basis, but compare the output of the netstat with the output of nmap or OpenVAS ( This will show you a "inside" vs. "outside" perspective.

Best regards,