As a security for your server, or your company server, checking with chkrootkit if the system wasn’t compromised is a very good idea. On the net you can find a lot of small scripts which can detect 1-2 rootkit or something similar to rootkits, but none of this can detect and remove so many rootkits as chkrootkit can.

Chkrootkit can be found at chkrootkit.org, from where you can download it or read related documentation about it and so on.

Now lets pretend that you already have chkrootkit on your server and its working, but to be able to scan you need to do this manually, which means you need to login into the system every time.

For me it was the same, I had chkrootkit on the system, was running and doing its job, but that meant for me to be login and run it myself. For this I created a small script which will enable me and now you of course to run this in crontab and sent the output to a certain email address.

The code:

#!/bin/bash

PWD=/path/to/chkrootkit/folder
MAIL=somemail@domain.org
DATE=$(date +%d-%m-%Y” “%H:%M)
HOST=$(hostname -f)

test -d $PWD && cd $PWD || exit 1
./chkrootkit 2>&1 | mail -s “chkrootkit scan on $HOST – $DATE” $MAIL

Save this script anywhere you want, run chmod +x scriptname and then we need to add it to crontab. So here it is:

0 3 * * * ( /path/to/the/script/scriptname ) >/dev/null 2>&1

“0 3 * * *” means that this script will run everynight at 3AM

For me this works every night and I am receiving in mail all of the output where I can nicely check it and if in case there is something, but only then, I will login into the server and do the necesary changes.

Try it out and let me know how it will work for you…