rkhunter and chkrootkit – Two Classic Linux Tools for Rootkit Detection
Posted: Thu Apr 23, 2026 7:41 pm
When people harden a Linux server, they often focus on firewalls, updates, SSH settings, and log monitoring. All of that is important, but there is another area that should not be ignored: checking the system for signs of rootkits, backdoors, hidden files, suspicious permissions, and altered binaries. Two of the best-known classic tools for this purpose are rkhunter and chkrootkit. Both are designed to help administrators look for indicators that a system may have been compromised.
First, a quick clarification: the commonly used tool is chkrootkit, not “chroot kit.” Chkrootkit is an established Unix/Linux utility whose own project site describes it as a tool that “locally checks for signs of a rootkit.” Debian likewise describes it as a security scanner that searches for signs that the system is infected with a rootkit and says it can identify signs of more than 70 different rootkits.
rkhunter, short for Rootkit Hunter, is another long-standing security tool for Unix-like systems. According to the project and Debian package description, it scans systems for known and unknown rootkits, backdoors, sniffers, and exploits. It checks for things such as SHA256 hash changes, files commonly created by rootkits, executables with unusual permissions, suspicious strings in kernel modules, and hidden files in system directories. In other words, rkhunter is not limited to one simple signature check; it performs a broader set of integrity and anomaly checks.
chkrootkit has a somewhat different style. Its project describes it as a local checker for rootkit signs, and the download page notes that it includes utilities to inspect issues such as promiscuous network interfaces, lastlog/wtmp inconsistencies, and other traces commonly associated with compromise. Its strength is that it is lightweight, straightforward, and still useful as a quick local inspection tool on Linux systems.
So which one is better? In practice, many administrators use both. Rkhunter tends to provide a broader file and system integrity perspective, while chkrootkit is often appreciated for quick signature- and symptom-based checks. Neither tool should be treated as a magic answer or a complete forensic platform. They are best seen as warning tools that may point to suspicious conditions requiring further investigation. A clean result does not prove a system is safe, and a warning does not always mean a system is infected. False positives are possible, especially on customized servers.
That last point is very important. If either tool reports suspicious findings, the correct response is not panic but verification. A system administrator should compare package files, review logs, inspect running processes, validate kernel modules, check network listeners, and consider whether the system may need offline analysis from rescue media. Rootkit detection tools are useful, but they are just one part of a larger security strategy that should also include patching, backups, monitoring, file integrity checks, and least-privilege design.
For Linux and Debian administrators, rkhunter and chkrootkit remain valuable classic tools because they are simple, widely known, and still practical for baseline system checks. They may not replace modern EDR, SIEM, or full incident response workflows, but they can still help detect anomalies that should not be ignored. On a server that matters, running regular checks with these tools is a sensible extra layer of security.
https://rkhunter.sourceforge.net/
https://www.chkrootkit.org/
https://packages.debian.org/sid/all/rkhunter
First, a quick clarification: the commonly used tool is chkrootkit, not “chroot kit.” Chkrootkit is an established Unix/Linux utility whose own project site describes it as a tool that “locally checks for signs of a rootkit.” Debian likewise describes it as a security scanner that searches for signs that the system is infected with a rootkit and says it can identify signs of more than 70 different rootkits.
rkhunter, short for Rootkit Hunter, is another long-standing security tool for Unix-like systems. According to the project and Debian package description, it scans systems for known and unknown rootkits, backdoors, sniffers, and exploits. It checks for things such as SHA256 hash changes, files commonly created by rootkits, executables with unusual permissions, suspicious strings in kernel modules, and hidden files in system directories. In other words, rkhunter is not limited to one simple signature check; it performs a broader set of integrity and anomaly checks.
chkrootkit has a somewhat different style. Its project describes it as a local checker for rootkit signs, and the download page notes that it includes utilities to inspect issues such as promiscuous network interfaces, lastlog/wtmp inconsistencies, and other traces commonly associated with compromise. Its strength is that it is lightweight, straightforward, and still useful as a quick local inspection tool on Linux systems.
So which one is better? In practice, many administrators use both. Rkhunter tends to provide a broader file and system integrity perspective, while chkrootkit is often appreciated for quick signature- and symptom-based checks. Neither tool should be treated as a magic answer or a complete forensic platform. They are best seen as warning tools that may point to suspicious conditions requiring further investigation. A clean result does not prove a system is safe, and a warning does not always mean a system is infected. False positives are possible, especially on customized servers.
That last point is very important. If either tool reports suspicious findings, the correct response is not panic but verification. A system administrator should compare package files, review logs, inspect running processes, validate kernel modules, check network listeners, and consider whether the system may need offline analysis from rescue media. Rootkit detection tools are useful, but they are just one part of a larger security strategy that should also include patching, backups, monitoring, file integrity checks, and least-privilege design.
For Linux and Debian administrators, rkhunter and chkrootkit remain valuable classic tools because they are simple, widely known, and still practical for baseline system checks. They may not replace modern EDR, SIEM, or full incident response workflows, but they can still help detect anomalies that should not be ignored. On a server that matters, running regular checks with these tools is a sensible extra layer of security.
https://rkhunter.sourceforge.net/
https://www.chkrootkit.org/
https://packages.debian.org/sid/all/rkhunter