what one is better chkrootkit or rkhunter
I run chkrootkit, rkhunter I was reading its better to run rkhunter on a floppy I don't know if this is true or not
or can you use both? I assume you can! it's look's to me they both do the same thing...

//Moved post to new thread. Please don't tack on to exisiting threads if your questions do not address the OP's questions.

Generally speaking (and I mean very generally speaking) Chkrootkit (CRT) and Rootkit Hunter (RKH) both are host-based, passive, post-incident auditing tools meant to check for signs of malicious activity. While they have some in common, they have different features. Best compare CRT with RKH-s upcoming 1.3.0 release: see RKH's CVS at Sourceforge, since a lot will change (and I do mean a *lot*). Running any audit tool from a LiveCD is a "best practice" approach when the target system is suspected tampered with or outright can't be trusted. I also added a short doc to the 1.3.0 branch about runing RKH with Webjob. While it's usage doesn't seem that widespread it could be used as an alternative to running a LiveCD in some situations. Running both CRT and RKH causes some overlap in tests but isn't bad since it allows for a second opinion which in some cases can be a good thing. Finally don't forget running CRT or RKH alone does *not* constitute proper system hardening or system auditing. There's more you need to do. See the LQ FAQ: Security references for more nfo.

Run both.

It is hard to determine which is better than the other, it does not make much sense when we are dealing with only two fairly full featured root kit finders. If there are things that don't fall into the intersection of the two (or more) then you will want to run those that give you the largest collection of hits.

If there were a hundred then it might make sense to to compare and contrast to find the optimum speed against maximum detection. Still, things tend to niche at that point, and you will have to make comparison depending upon your position.

No it's not hard. It just takes knowledge and time. BTW, there's two more tools in the field I know of: OSSEC and Zeppoo.


The amount of "hits" is of lesser consequence than the accuracy IMNSHO, and having a large amount of "hits" doesn't imply greater accuracy. RKH can generate a fair amount of FP's, and CRT's chkproc will sometimes generate FP's too. FP's are for the user to verify.


I think it's too easy to say "make comparison depending upon your position". How about some solid criteria?

On what, some theoretical time in the future where there are 100 or so rootkit checkers?

The idea of the niche will probably show in appliance, so say you have a rootkit checker designed for a web server, or a handheld or mobile phone, they will be similar probably feeding off a couple of centralized vulnerability sources, but purposed optimally for the environment.

And yet you don't make a comparison

The question was:

what one is better chkrootkit or rkhunter

There is only two there?

The question was not:

what is the best root kit checker?

Hits was not quoted (") by me, hits mean just that hits, not misses or false positives, those are both misses, false positives being the worse miss. Hits can be thought of as ambiguous, but in the context of what I said was in determining vulnerability detection set size. Taking your idea that a hit is anything, 'oh look he hit some air to the right of the target' we get absurd comments like that. A hit is if you hit the target not if you miss it.

Anyway, my position stands it is very very hard to determine which is best, not only is it a moving target, the vulnerability catchment will differ, and that is the thing you are mainly interested in.

It is a good thing at least two fully featured root kit detectors exist, they act as a failsafe for each other, so looking to see which is best is not that productive (not only being hard to determine, you do want to use both) and that is the essence of my point.

All I asked you was to clarify, for the benefit of the OP, by adding objective criteria instead of unloading back onto him. Maybe brush up on your practical knowledge of GNU/Linux-based rootkits and detection methods first though.

>>> All I asked you was to clarify, for the benefit of the OP, by adding objective criteria instead of unloading back onto him. Maybe brush up on your practical knowledge of GNU/Linux-based rootkits and detection methods first though.

You didn't actually, but you are free to do the same.

unSpawn thank you I will check out Sourceforge


Zention thank you as well