chkrootkit was created in 1999-2000 by Nelson Murilo and Klaus Steding-Jessen, Brazilian security researchers, as a tool to locally check for signs of rootkit infection on Unix-like systems.
- 1999: First public release of chkrootkit
- 2000: Growing adoption in the Linux security community
- 2003: Regular updates for new rootkit signatures
- 2007: chkrootkit 0.47 with improved detection
¶ Maintenance Era (2010-Present)
chkrootkit has been maintained with periodic updates:
- 2013: chkrootkit 0.49 with bug fixes
- 2019: chkrootkit 0.54 with updated signatures
- 2022+: Continued maintenance and updates
| Year |
Version |
Notable Changes |
| 1999 |
0.1 |
Initial release |
| 2003 |
0.40 |
Enhanced detection |
| 2013 |
0.49 |
Bug fixes |
| 2019 |
0.54 |
Updated signatures |
- Written in C and Shell script
- Command-line interface
- Signature-based rootkit detection
- No installation required (can run from removable media)
- Checks for known rootkit signatures
- Examines system binaries for modifications
- Looks for hidden processes and files
- Checks for promiscuous network interfaces
- Searches for log file tampering
¶ Impact and Legacy
chkrootkit’s contributions to security:
- Early rootkit detection: One of the first widely available rootkit detection tools
- Simplicity: Easy to use - just download and run
- Portability: Can run from removable media without installation
- Education: Helped raise awareness about rootkit threats
chkrootkit remains available:
- Open-source: GPL-2.0 licensed
- Maintenance mode: Periodic updates for new signatures
- Package availability: Available in most Linux distributions
- Complementary tool: Often used alongside rkhunter
| Feature |
chkrootkit |
rkhunter |
| First Release |
1999 |
2003 |
| License |
GPL-2.0 |
GPL-2.0 |
| Development |
Periodic |
Active |
| Detection |
Signatures |
Signatures + heuristics |
| Updates |
Manual |
Automated |