rkhunter and chkrootkit – Two Classic Linux Tools for Rootkit Detection
Posted: Thu Apr 23, 2026 7:41 pm
When people harden a Linux server, they often focus on firewalls, updates, SSH settings, and log monitoring. All of that is important, but there is another area that should not be ignored: checking the system for signs of rootkits, backdoors, hidden files, suspicious permissions, and altered binaries. Two of the best-known classic tools for this purpose are rkhunter and chkrootkit. Both are designed to help administrators look for indicators that a system may have been compromised.
First, a quick clarification: the commonly used tool is chkrootkit, not “chroot kit.” Chkrootkit is an established Unix/Linux utility whose own project site describes it as a tool that “locally checks for signs of a rootkit.” Debian likewise describes it as a security scanner that searches for signs that the system is infected with a rootkit and says it can identify signs of more than 70 different rootkits.
rkhunter, short for Rootkit Hunter, is another long-standing security tool for Unix-like systems. Ac…login to view the rest of this post
First, a quick clarification: the commonly used tool is chkrootkit, not “chroot kit.” Chkrootkit is an established Unix/Linux utility whose own project site describes it as a tool that “locally checks for signs of a rootkit.” Debian likewise describes it as a security scanner that searches for signs that the system is infected with a rootkit and says it can identify signs of more than 70 different rootkits.
rkhunter, short for Rootkit Hunter, is another long-standing security tool for Unix-like systems. Ac…login to view the rest of this post