Rootcheck is an open source command line tool that looks for indicators of compromise on Linux or BSD systems. It tries to find known backdoors, kernel-level rootkits, malware and insecure configuration settings.

It is included as part of OSSEC, but can also be executed separately from here as needed. If you suspect your server has been compromised it will certainly help with your investigation.


Rootcheck takes a few seconds to install and get it running:

1- Download Rootcheck:

# wget

2- Install gcc and make. A simple “apt-get install gcc make” on Ubuntu or “yum install gcc make” on CentOS/RedHat will do it for you.

3- Run “”. It will get rootcheck ready to run.

# tar -zxvf rootcheck-latest.tar.gz # cd *rootcheck* # sh ./

4- Once completed, just run rootcheck:

# ./rootcheck

Enjoy. Rootcheck will take a few minutes to run and it will print the results in the screen as it goes.

Current Versions

Current Versions of OSSEC available:

If you would like to contribute or send patches, please do so via my github repository:

Posted in   rootcheck     by Daniel Cid (dcid)

Coding for fun and profit. Often fun and little profit.