Provided by: chkrootkit_0.57-1_amd64 bug

NAME

       chkrootkit - Scan the system for signs of rootkits

SYNOPSIS

       chkrootkit [OPTION]... [TESTNAME]...

DESCRIPTION

       chkrootkit examines the target system for signs that it has been tampered with. Some tools
       which chkrootkit uses can be found in /usr/lib/chkrootkit.

OPTIONS

       Unlike usual programmes, options cannot be 'combined', so you cannot need to write '-q -n'
       instead of '-qn'

       -q     Enter quiet mode. This suppresses output of tests that find nothing suspicious.

       -x     Enter  expert  mode.  This makes many tests produces additional output showing what
              they have found.

       -d     Enter debug mode. This shows exactly what chkrootkit is doing  at  every  step  (it
              includes running chkrootkit with 'set -x').

       -e "FILE1[ FILE2...]"
              Exclude  listed  files  from  the  results  of some tests. The list should be pace-
              separated (which will generally require quoting when run from a shell. You can also
              specify  -e  several  times). Use this to remove false positives from the result of
              many tests - see /usr/share/doc/chkrootkit/README.FALSE-POSITIVES.

       -s REGEXP
              Similar to -e but only applies to the result of the sniffer test.  This  test  will
              flag         standard         network         managers         like        systemd-
              networkd(1), NetworkManager(1) or wpa_supplicant(1) as PACKET SNIFFER  s,  and  you
              can    remove    such    messages    from    the   output   with   something   like
              chkrootkit -s '(systemd-netword|NetworkManager|wpa_supplicant)', where the argument
              lists  whicher  managers  you expect to be present. The argument can be any regular
              expression understood by egrep(1).

       -p DIR1[:DIR2...]
              Specify an alternative $PATH.  chkrootkit assumes that  standard  programmes,  like
              find(1)  andgrep(1),  are  uncompromised.  The  intention is that you place trusted
              copies  where  they  cannot  be   modified   and   invoke   with   something   like
              chkrootkit -p /media/usb

       -r     DIR  Use  DIR  as  the  root  directory.  For example, you might mount a disk on an
              uncompromised system and run chkrootkit-r/mnt

       -n     make some tests ignore NFS-mounted directories.

       -l     Print available tests. These are the following:
              aliens asp bindshell lkm rexedcs sniffer w55808 wted  scalper  slapper  z2  chkutmp
              OSX_RSPLUG  amd basename biff chfn chsh cron crontab date du dirname echo egrep env
              find fingerd gpm grep hdparm  su  ifconfig  inetd  inetdconf  identd  init  killall
              ldsopreload  login  ls  lsof  mail mingetty netstat named passwd pidof pop2 pop3 ps
              pstree rpcinfo rlogind rshd slogin sendmail  sshd  syslogd  tar  tcpd  tcpdump  top
              telnetd timed traceroute vdir w write

       -h     Print a short help message and exit.

       -V     Print version information and exit.

AUTHOR

       Manual   page   written   by   Yotam   Rubin   <yotam@makif.omer.k12.il>,   Marcos  Fouces
       <marcos@debian.org> and lantz moore <lmoore@debian.org> for the Debian project. It may  be
       used by others.

SEE ALSO

       strings(1) chklastlog(8) chkwtmp(8)

                                           Oct 23, 2021                             chkrootkit(8)