macOS
brew install chkrootkitlocal Homebrew formula metadata
sudo port install chkrootkitMacPorts ports tree · sysutils/chkrootkit/Portfile · source: api.github.com
brew
Rootkit detector. Version 0.59 via Homebrew; verified from local package data.
install
brew install chkrootkitlocal Homebrew formula metadata
sudo port install chkrootkitMacPorts ports tree · sysutils/chkrootkit/Portfile · source: api.github.com
sudo apt install chkrootkitDebian stable package indexes · chkrootkit · source: deb.debian.org
sudo dnf install chkrootkitFedora Rawhide package metadata · chkrootkit · source: dl.fedoraproject.org
overview
Rootkit detector
history
chkrootkit is a long-running Unix rootkit detector that locally checks for signs of modified system binaries, log tampering, promiscuous interfaces, and kernel-module trojans.
The official README for version 0.59 credits Nelson Murilo as main author and Klaus Steding-Jessen as co-author. It describes chkrootkit as a shell-script front end plus C helpers including ifpromisc, chklastlog, chkwtmp, chkproc, chkdirs, check_wtmpx, chkutmp, and a strings replacement.
The README lists testing across Linux, FreeBSD, OpenBSD, NetBSD, Solaris, HP-UX, Tru64, BSDI, and Mac OS X, which explains why it became common in Unix security packaging. The input package facts show it in Homebrew, Debian, Ubuntu, Fedora/DNF, and MacPorts.
chkrootkit is intended to be run as root, either as ./chkrootkit for all tests or with named tests such as ps, ls, and sniffer. Options include quiet mode, expert mode, an alternate root directory, and an alternate command path for checking mounted disks or avoiding possibly compromised system binaries.
For package nerds, chkrootkit is a classic security-admin utility: small, scriptable, portable, and old enough to appear in many Unix package collections. It also shows why some security tools remain tarball-first rather than source-control-first in package metadata.
security posture
narrow executable package without higher-risk signals.
green risk · low confidence · appliance
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
executables
| Command | Kind | Exposure | Note |
|---|---|---|---|
check_wtmpx | cli | global executable | |
chkdirs | cli | global executable | |
chklastlog | cli | global executable | |
chkproc | cli | global executable | |
chkrootkit | cli | global executable | |
chkutmp | cli | global executable | |
chkwtmp | cli | global executable | |
ifpromisc | cli | global executable | |
strings-static | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
install metadata
| Package key | brew:chkrootkit |
|---|---|
| Version | 0.59 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/chkrootkit |
| Homepage | https://www.chkrootkit.org/ |
| Upstream docs | https://www.chkrootkit.org/ |
| License | GPL-2.0-or-later |
| Source archive | ftp://ftp.chkrootkit.org/pub/seg/pac/chkrootkit-0.59.tar.gz |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | chkrootkit |
| Version Scheme | 0 |
| Revision | 0 |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
chkrootkit 0.58b-5+b7
rootkit detector
sudo apt install chkrootkitchkrootkit 0.58b-1
rootkit detector
sudo apt install chkrootkitchkrootkit 0.58-3b.fc44
Tool to locally check for signs of a rootkit
sudo dnf install chkrootkitchkrootkit
sudo port install chkrootkitsource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.