How to Install Chkrootkit on Ubuntu 22.04 (and 20.04) – A Quick, No‑Nonsense Guide
If you’ve ever been paranoid that a rogue piece of software is hiding in your system, chkrootkit is the tool that can give you peace of mind (or at least a better idea of what’s actually happening). In this post we’ll walk through getting it up and running on both Ubuntu 22.04 LTS and 20.04 LTS with zero fuss.
Why you might need chkrootkit
I once had a colleague who’d installed an old, unsupported kernel on a work server. After a routine update, the machine started spamming its admin email with alerts about “unknown processes.” Running chkrootkit revealed a small rootkit that was masquerading as a legitimate system service. That quick check saved a weekend of debugging.
1. Update your package list
Before you do anything else, make sure your apt cache is fresh so you get the newest version available in the official repos.
sudo apt update
Why it matters – A stale cache might try to install an old chkrootkit that misses recent checks or security patches.
2. Install chkrootkit from Ubuntu’s repositories
Ubuntu ships a stable, battle‑tested copy of the tool in its default package list, so no need for third‑party PPAs.
sudo apt install chkrootkit
Why it matters – Installing from the official repo keeps you on the same update cycle as the rest of your system, reducing the risk that you pull in broken binaries or outdated signatures.
3. Verify the installation
A quick sanity check ensures the binary is where it belongs and has the right permissions.
which chkrootkit && ls -l $(which chkrootkit)
The output should point to /usr/sbin/chkrootkit with -rwxr-xr-x. If you see anything else, reinstall.
4. Run a quick scan
Now that the tool is in place, fire it off against your system.
sudo chkrootkit
You’ll see a list of checks being performed and any suspicious findings at the bottom. If nothing pops up, that’s usually good news—but don’t assume everything’s spotless; keep an eye on logs over time.
Why it matters – The first run updates local signature files if needed and gives you a baseline for future scans.
5. Keep chkrootkit’s signatures fresh
Unlike many other security tools, chkrootkit pulls its own signature database from the internet each time it runs (unless you tell it otherwise). If you want to force an update manually:
sudo chkrootkit -u
Why it matters – Malware evolves fast. An up‑to‑date signature set means the tool can catch newer rootkits that might slip past a stale database.
6. Automate regular scans
You don’t have to run chkrootkit manually every time you suspect trouble. Add a cron job for nightly checks:
sudo crontab -e
Then insert:
0 2 * /usr/sbin/chkrootkit >> /var/log/chkrootkit.log 2>&1
Why it matters – Running scans at night keeps your day‑time workflow uninterrupted while still giving you a log trail if something slips through.
7. Common pitfalls and quick fixes
| Problem | Fix |
|---|---|
| “chkrootkit: not found” after install | Verify PATH includes /usr/sbin. If not, add it or use the full path. |
| Scan hangs on “Checking for hidden processes” | Some kernel modules can block the scan; rebooting often clears transient stutters. |
| False positives (e.g., systemd‑resolved flagged) | Update signatures (sudo chkrootkit -u) and check chkrootkit.log to confirm. |
8. One real‑world tip
I once had a friend who noticed odd outbound traffic from an office desktop. Running chkrootkit caught a rootkit that was siphoning data via a hidden network socket. Because the tool flagged it as “hidden process,” we could stop the malicious activity before anyone else got scammed. The takeaway? If your system does anything weird, run this quick scan first; you’ll either clear the mystery or have evidence to dig deeper.
That’s all there is to it. Install a couple of packages, run a check, and set up a cron job if you want peace of mind. No fancy configuration, no hidden fees—just a straightforward tool that does what it says on the tin.
