Skip to main content
LPIC-3 Exam 303

CentOS 7 chkrootkit

By August 23, 2018September 12th, 2022No Comments

Using CentOS 7 chkrootkit

The standard repositories for CentOS do not include a package for chkrootkit as they do for Ubuntu. However, this is not really an issue as the installation from source is not a difficult task. To use CentOS 7 chkrootkit, first, we make sure that we have the packages needed to compile from source. The group Development Tools is a good target for this, but we will also add wget and glibc-static.

$ sudo yum groups install -y "Development Tools"
$ sudo yum install -y wget glibc-static

We can now download the source from the software author. The website is You can check on the latest version from the site and retrieve the link to download it. As of 2017 the current version is 0.52 for us to use CentOS 7 chkrootkit. To download the current version:

$ wget

Now you can proceed to expand the archive:

$ tar -xzf chkrootkit.tar.gz

We can then move into the directory and compile the required files. The main program is a shell script, this script, though, calls the compliled binaries.

$ cd chkrootkit-0.52/

To compile the code we uase make. There is only one make target in the Makefile. The target is called sense, so we can amusingly call:

$ make sense

We now should copy the directory to a sensible location:

$ cd ; sudo mv chkrootkit-0.52/ /usr/local/ 
$ ln -s /usr/local/chkrootkit-0.52/ /usr/local/chkrootkit

The last command creates a link /usr/local/chkrootkit that points to the current version directory /usr/local/chkrootkit-0.52/. When a new version is developed we can link to the new directory. The link gives us a consistent location to use that is independent to the verion of chkrootkit.

The chkrootkit script calls the compiled binaries using a relative path. We should run the command from the directory which we can acheive by grouping commands:

$ sudo bash -c 'cd /usr/local/chkrootkit && ./chkrootkit -q'

Running Cronjobs

Most of the time we will by running chkrootkit and most other malware detectors as a cron job. If we have compiled chkrootkit we will need to define our own cron task. To run the task daily we can create a script in /etc/cron.daily

$ sudo vim /etc/cron.daily/chkrootkit 
cd /usr/local/chkrootkit ./chkrootkit -q | mail -s "CHKROOTKIT daily run" root
$ chmod +x /etc/cron.daily/chkrootkit

We can leave this to run with cron and check the root user’s mail daily. To test execution we can execute as the root user:

$ sudo /etc/cron.daily/chkrootkit

To check the mail has been recieved we can open a root shell and read mail:

$ sudo -i
# mail