{
	"id": "637a6410-e5de-407e-af0f-11fcafce4a79",
	"created_at": "2026-04-06T01:31:33.213136Z",
	"updated_at": "2026-04-10T03:34:57.325594Z",
	"deleted_at": null,
	"sha1_hash": "77a371ec2799b3a9d4de2af5b9b95db990307019",
	"title": "chkrootkit -- locally checks for signs of a rootkit",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 59342,
	"plain_text": "chkrootkit -- locally checks for signs of a rootkit\r\nBy Nelson Murilo, Klaus Steding-Jessen\r\nArchived: 2026-04-06 00:21:09 UTC\r\nWhat's\r\nNew\r\nREADME\r\nTests\r\nMailing\r\nList\r\nAuthors\r\nchkrootkit is a tool to locally check for signs of a rootkit. It contains:\r\nchkrootkit: shell script that checks system binaries for rootkit modification.\r\nifpromisc.c: checks if the interface is in promiscuous mode.\r\nchklastlog.c: checks for lastlog deletions.\r\nchkwtmp.c: checks for wtmp deletions.\r\ncheck_wtmpx.c: checks for wtmpx deletions. (Solaris only)\r\nchkproc.c: checks for signs of LKM trojans.\r\nchkdirs.c: checks for signs of LKM trojans.\r\nstrings.c: quick and dirty strings replacement.\r\nchkutmp.c: checks for utmp deletions.\r\nChkrootkit is named Top 10 Tools to Scan Linux Servers for Vulnerability and Malware\r\nby Cyber Security News.\r\nAfter 25 years still helping people around world!\r\nWhat's New\r\nchkrootkit 0.59 is now available! (Release Date: Jan 01 2026)\r\nThis version includes:\r\nchkrootkit\r\nNew checks: Process executed from memory\r\nNew commands: nologin\r\nXZ Backdoor Bottkitty (UEFI Bootkit)\r\nBug fixes\r\nTests performed and rootkits detected\r\nThe following tests are made:\r\naliens asp bindshell lkm rexedcs sniffer w55808 wted scalper\r\nslapper z2 chkutmp OSX_RSPLUG amd basename biff chfn chsh cron\r\ncrontab date du dirname echo egrep env find fingerd gpm grep\r\nhdparm su ifconfig inetd inetdconf identd init killall\r\nldsopreload login ls lsof mail mingetty netstat named passwd\r\nhttp://www.chkrootkit.org/\r\nPage 1 of 3\n\npidof pop2 pop3 ps pstree rpcinfo rlogind rshd slogin sendmail\r\nsshd syslogd tar tcpd tcpdump top telnetd timed traceroute vdir w\r\nwrite\r\nThe following rootkits, worms and LKMs are currently detected:\r\n01. lrk3, lrk4, lrk5, lrk6\r\n(and variants);\r\n02. Solaris rootkit; 03. FreeBSD rootkit;\r\n04. t0rn (and variants);\r\n05. Ambient's Rootkit\r\n(ARK);\r\n06. Ramen Worm;\r\n07. rh[67]-shaper; 08. RSHA; 09. Romanian rootkit;\r\n10. RK17; 11. Lion Worm; 12. Adore Worm;\r\n13. LPD Worm; 14. kenny-rk; 15. Adore LKM;\r\n16. ShitC Worm; 17. Omega Worm; 18. Wormkit Worm;\r\n19. Maniac-RK; 20. dsc-rootkit; 21. Ducoci rootkit;\r\n22. x.c Worm; 23. RST.b trojan; 24. duarawkz;\r\n25. knark LKM; 26. Monkit; 27. Hidrootkit;\r\n28. Bobkit; 29. Pizdakit; 30. t0rn v8.0;\r\n31. Showtee; 32. Optickit; 33. T.R.K;\r\n34. MithRa's Rootkit; 35. George; 36. SucKIT;\r\n37. Scalper;\r\n38. Slapper A, B, C\r\nand D;\r\n39. OpenBSD rk v1;\r\n40. Illogic rootkit; 41. SK rootkit. 42. sebek LKM;\r\n43. Romanian rootkit; 44. LOC rootkit; 45. shv4 rootkit;\r\n46. Aquatica rootkit; 47. ZK rootkit; 48. 55808.A Worm;\r\n49. TC2 Worm; 50. Volc rootkit; 51. Gold2 rootkit;\r\n52. Anonoying rootkit; 53. Shkit rootkit; 54. AjaKit rootkit;\r\n55. zaRwT rootkit; 56. Madalin rootkit; 57. Fu rootkit;\r\n58. Kenga3 rootkit; 59. ESRK rootkit; 60. rootedoor rootkit;\r\n61. Enye LKM; 62. Lupper.Worm; 63. shv5;\r\nhttp://www.chkrootkit.org/\r\nPage 2 of 3\n\n64. OSX.RSPlug.A;\r\n65. Linux Rootkit\r\n64Bit;\r\n66. Operation Windigo;\r\n67. Mumblehard\r\nbackdoor/botnet;\r\n68. Linux.Xor.DDoS\r\nMalware;\r\n69.\r\nBackdoors.linux.Mokes.a;\r\n70. Linux.Proxy.10\r\n71. Rocke Monero\r\nMiner\r\n72. Umbreon Linux Rootkit\r\n73. Linux BPFDoor 74. Kovid Rootkit 75. Syslogk Rootkit\r\nchkrootkit has been tested on: Linux 2.0.x, 2.2.x, 2.4.x and 2.6.x, 3x, 4x and 5x. FreeBSD 2.2.x, 3.x, 4.x, 5.x, 7.x\r\nand 10.x, OpenBSD 2.x, 3.x, 4.x and 5.x., NetBSD 1.6.x, Solaris 2.5.1, 2.6, 8.0 and 9.0, HP-UX 11, Tru64, BSDI\r\nand Mac OS X.\r\nMore details can be found on the chkrootkit's README.\r\nSupport us:\r\nChkrootkit is free software. However, large amounts of time and effort go into its continued development. If you\r\nare interested in financially supporting the development of Chkrootkit, please send your donation to\r\nnelsonmurilo[at]gmail.com via PayPal.\r\nWe accept Bitcoin as well\r\nIf you like our work, please consider supporting Chkrootkit at Patreon. Thank you.\r\nChkrootkit shop (NEW): Shop here!\r\nContacting the Authors: Please send comments, new rootkits, questions and bug reports to Nelson Murilo\r\n\u003cnmuriloat.gmail.com\u003e (main author) and Klaus Steding-Jessen \u003cjessen@cert.br\u003e (co-author).\r\nDiscover more\r\nlinux\r\nLinux \u0026 Unix\r\nComputer Security\r\nSource: http://www.chkrootkit.org/\r\nhttp://www.chkrootkit.org/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"http://www.chkrootkit.org/"
	],
	"report_names": [
		"www.chkrootkit.org"
	],
	"threat_actors": [
		{
			"id": "7c053836-8f50-4d40-bc5c-7088967e1b57",
			"created_at": "2022-10-25T16:07:24.549525Z",
			"updated_at": "2026-04-10T02:00:05.03048Z",
			"deleted_at": null,
			"main_name": "Rocke",
			"aliases": [
				"Aged Libra",
				"G0106",
				"Iron Group",
				"Rocke"
			],
			"source_name": "ETDA:Rocke",
			"tools": [
				"Godlua",
				"Kerberods",
				"LSD",
				"Pro-Ocean",
				"Xbash"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "905eabd9-2b7f-483d-86bd-0c72f96b4162",
			"created_at": "2023-01-06T13:46:39.02749Z",
			"updated_at": "2026-04-10T02:00:03.185957Z",
			"deleted_at": null,
			"main_name": "Rocke",
			"aliases": [
				"Aged Libra"
			],
			"source_name": "MISPGALAXY:Rocke",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "0b02af5f-2027-42b7-a6f2-51e2fd49ba7f",
			"created_at": "2022-10-25T15:50:23.360509Z",
			"updated_at": "2026-04-10T02:00:05.337702Z",
			"deleted_at": null,
			"main_name": "Rocke",
			"aliases": [
				"Rocke"
			],
			"source_name": "MITRE:Rocke",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "1934b371-2525-4615-a90a-772182bc4184",
			"created_at": "2022-10-25T15:50:23.396576Z",
			"updated_at": "2026-04-10T02:00:05.341979Z",
			"deleted_at": null,
			"main_name": "Windigo",
			"aliases": [
				"Windigo"
			],
			"source_name": "MITRE:Windigo",
			"tools": [
				"Ebury"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "3844202f-b24a-4e16-b7b9-dfe8c0a44d5d",
			"created_at": "2022-10-25T16:07:24.526179Z",
			"updated_at": "2026-04-10T02:00:05.023222Z",
			"deleted_at": null,
			"main_name": "Operation Windigo",
			"aliases": [
				"G0124"
			],
			"source_name": "ETDA:Operation Windigo",
			"tools": [
				"CDorked",
				"CDorked.A",
				"Calfbot",
				"Ebury"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439093,
	"ts_updated_at": 1775792097,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/77a371ec2799b3a9d4de2af5b9b95db990307019.pdf",
		"text": "https://archive.orkl.eu/77a371ec2799b3a9d4de2af5b9b95db990307019.txt",
		"img": "https://archive.orkl.eu/77a371ec2799b3a9d4de2af5b9b95db990307019.jpg"
	}
}