CLI-based rootkit and anomaly scanner for Linux systems. Written in Go for speed and portability.<\/p>\n\n\n\n
\/etc\/ld.so.preload<\/code><\/li>\n\n\n\n- Lists hidden dotfiles in root<\/li>\n\n\n\n
- Verifies critical binary hashes (
ls<\/code>, ps<\/code>, top<\/code>)<\/li>\n\n\n\n- Outputs reports in
text<\/code>, json<\/code>, or html<\/code> formats<\/li>\n<\/ul>\n\n\n\n
\n\n\n\n\ud83d\udd27 Installation<\/h3>\n\n\n\n1. Install Go (if not installed)<\/h3>\n\n\n\nsudo apt update && sudo apt install golang -y<\/code><\/pre>\n\n\n\n2. Clone the Repo<\/h3>\n\n\n\ngit clone https:\/\/https:\/\/github.com\/mxkdevops\/mkrootkitscan\ncd mkrootkitscan<\/code><\/pre>\n\n\n\n3. Build the Scanner<\/h3>\n\n\n\ngo build -o mkrootkitscan main.go<\/code><\/pre>\n\n\n\n
\n\n\n\n\u25b6\ufe0f Usage<\/h3>\n\n\n\n
Run a scan and generate report:<\/p>\n\n\n\n
sudo .\/mkrootkitscan --format=html # Save as scan_report.html\nsudo .\/mkrootkitscan --format=json # Save as scan_report.json\nsudo .\/mkrootkitscan --format=text # Console output\nsudo .\/mkrootkitscan --format=html --quiet # No console output<\/code><\/pre>\n\n\n\n
\n\n\n\n\ud83d\udcc1 Output Files<\/h3>\n\n\n\n\nscan_report.json<\/code> \u2014 JSON report<\/li>\n\n\n\nscan_report.html<\/code> \u2014 User-friendly HTML report<\/li>\n\n\n\nscan_report.txt<\/code> <\/li>\n<\/ul>\n\n\n\n
\n\n\n\n\ud83d\udcf8 Screenshots<\/h3>\n\n\n\nJSON Output:<\/h3>\n\n\n\n{\n \"Processes\": [\"\u26a0\ufe0f Suspicious Process 101: \/usr\/sbin\/apache2\"],\n \"Ports\": [\"\ud83d\udd0c Open Port: 0.0.0.0:22\"],\n \"Modules\": [],\n \"Preload\": \"\",\n \"Hidden\": [\"\ud83d\udd12 Hidden File\/Dir: \/.dockerenv\"],\n \"Hashes\": [\"\ud83d\udcc1 \/bin\/ls MD5: 1a79a4d60de6718e8e5b326e338ae533\"],\n \"Timestamp\": \"2025-05-31T12:34:56Z\"\n}<\/code><\/pre>\n\n\n\nmain.go Full code <\/p>\n\n\n\n
\/\/ mkrootkitscan - CLI Rootkit Scanner\n\/\/ GitHub-ready version with CLI flags and report generation\npackage main\n\nimport (\n \"crypto\/md5\"\n \"encoding\/json\"\n \"flag\"\n \"fmt\"\n \"io\/ioutil\"\n \"net\"\n \"os\"\n \"strconv\"\n \"strings\"\n \"time\"\n)\n\ntype ScanResult struct {\n Processes []string `json:\"processes\"`\n Ports []string `json:\"ports\"`\n Modules []string `json:\"modules\"`\n Preload string `json:\"preload\"`\n Hidden []string `json:\"hidden\"`\n Hashes []string `json:\"hashes\"`\n Timestamp string `json:\"timestamp\"`\n}\n\nfunc ScanProcesses() []string {\n results := make([]string, 0) \/\/ initialize empty slice\n entries, _ := ioutil.ReadDir(\"\/proc\")\n for _, entry := range entries {\n if pid, err := strconv.Atoi(entry.Name()); err == nil {\n cmd, err := ioutil.ReadFile(fmt.Sprintf(\"\/proc\/%d\/cmdline\", pid))\n if err == nil && strings.Contains(string(cmd), \"ld.so.preload\") {\n results = append(results, fmt.Sprintf(\"\u26a0\ufe0f Suspicious Process %d: %s\", pid, string(cmd)))\n }\n }\n }\n return results\n}\n\nfunc parseHexIPPort(hexStr string) string {\n parts := strings.Split(hexStr, \":\")\n ip := parts[0]\n port := parts[1]\n ipBytes := make([]byte, 4)\n for i := 0; i < 4; i++ {\n b, _ := strconv.ParseUint(ip[2*i:2*i+2], 16, 8)\n ipBytes[i] = byte(b)\n }\n ipStr := net.IPv4(ipBytes[3], ipBytes[2], ipBytes[1], ipBytes[0]).String()\n p, _ := strconv.ParseInt(port, 16, 32)\n return fmt.Sprintf(\"%s:%d\", ipStr, p)\n}\n\nfunc ScanPorts() []string {\n results := make([]string, 0) \/\/ initialize empty slice\n tcp, _ := ioutil.ReadFile(\"\/proc\/net\/tcp\")\n lines := strings.Split(string(tcp), \"\\n\")[1:]\n for _, line := range lines {\n if strings.TrimSpace(line) == \"\" {\n continue\n }\n parts := strings.Fields(line)\n localHex := parts[1]\n state := parts[3]\n if state == \"0A\" {\n results = append(results, \"\ud83d\udd0c Open Port: \"+parseHexIPPort(localHex))\n }\n }\n return results\n}\n\nfunc ScanModules() []string {\n results := make([]string, 0) \/\/ initialize empty slice\n data, _ := ioutil.ReadFile(\"\/proc\/modules\")\n lines := strings.Split(string(data), \"\\n\")\n for _, line := range lines {\n if strings.Contains(line, \"rootkit\") {\n results = append(results, \"\u26a0\ufe0f Suspicious Module: \"+line)\n }\n }\n return results\n}\n\nfunc ScanLDPreload() string {\n content, err := ioutil.ReadFile(\"\/etc\/ld.so.preload\")\n if err == nil && strings.TrimSpace(string(content)) != \"\" {\n return \"\u26a0\ufe0f Non-empty \/etc\/ld.so.preload: \" + string(content)\n }\n return \"\"\n}\n\nfunc ScanHiddenFiles() []string {\n results := make([]string, 0) \/\/ initialize empty slice\n files, _ := ioutil.ReadDir(\"\/\")\n for _, f := range files {\n if strings.HasPrefix(f.Name(), \".\") {\n results = append(results, \"\ud83d\udd12 Hidden File\/Dir: \/\"+f.Name())\n }\n }\n return results\n}\n\nfunc ScanCriticalFileHashes() []string {\n results := make([]string, 0) \/\/ initialize empty slice\n paths := []string{\"\/bin\/ls\", \"\/bin\/ps\", \"\/usr\/bin\/top\"}\n for _, path := range paths {\n content, err := ioutil.ReadFile(path)\n if err == nil {\n hash := fmt.Sprintf(\"%x\", md5sum(content))\n results = append(results, fmt.Sprintf(\"\ud83d\udcc1 %s MD5: %s\", path, hash))\n }\n }\n return results\n}\n\nfunc md5sum(data []byte) []byte {\n h := md5.New()\n h.Write(data)\n return h.Sum(nil)\n}\n\nfunc GenerateReport(results ScanResult, format string) {\n switch format {\n case \"json\":\n b, _ := json.MarshalIndent(results, \"\", \" \")\n ioutil.WriteFile(\"scan_report.json\", b, 0644)\n case \"html\":\n f, _ := os.Create(\"scan_report.html\")\n defer f.Close()\n f.WriteString(\"<html><body><h1>mkrootkitscan Report<\/h1><ul>\")\n for _, p := range results.Processes {\n f.WriteString(\"<li>\" + p + \"<\/li>\")\n }\n for _, p := range results.Ports {\n f.WriteString(\"<li>\" + p + \"<\/li>\")\n }\n for _, m := range results.Modules {\n f.WriteString(\"<li>\" + m + \"<\/li>\")\n }\n if results.Preload != \"\" {\n f.WriteString(\"<li>\" + results.Preload + \"<\/li>\")\n }\n for _, h := range results.Hidden {\n f.WriteString(\"<li>\" + h + \"<\/li>\")\n }\n for _, h := range results.Hashes {\n f.WriteString(\"<li>\" + h + \"<\/li>\")\n }\n f.WriteString(\"<\/ul><\/body><\/html>\")\n default:\n fmt.Println(\"[Text Output]\")\n for _, l := range results.Processes {\n fmt.Println(l)\n }\n for _, l := range results.Ports {\n fmt.Println(l)\n }\n for _, l := range results.Modules {\n fmt.Println(l)\n }\n if results.Preload != \"\" {\n fmt.Println(results.Preload)\n }\n for _, l := range results.Hidden {\n fmt.Println(l)\n }\n for _, l := range results.Hashes {\n fmt.Println(l)\n }\n }\n}\n\nfunc main() {\n outputFormat := flag.String(\"format\", \"text\", \"Output format: text, html, or json\")\n quiet := flag.Bool(\"quiet\", false, \"Suppress console output\")\n flag.Parse()\n\n results := ScanResult{\n Processes: ScanProcesses(),\n Ports: ScanPorts(),\n Modules: ScanModules(),\n Preload: ScanLDPreload(),\n Hidden: ScanHiddenFiles(),\n Hashes: ScanCriticalFileHashes(),\n Timestamp: time.Now().Format(time.RFC3339),\n }\n\n if !*quiet {\n fmt.Println(\"\u2705 Scan complete. Generating report...\")\n }\n GenerateReport(results, *outputFormat)\n if !*quiet {\n fmt.Println(\"\ud83d\udcc4 Report saved\")\n }\n}\n<\/code><\/pre>\n\n\n\n
\n\n\n\n\u2705 What You\u2019ve Achieved with mkrootkitscan<\/code><\/h3>\n\n\n\nYou\u2019ve built a custom rootkit scanner<\/strong> that does the following:<\/p>\n\n\n\n\ud83d\udd0d Core Features<\/h3>\n\n\n\n\n- Open Port Scanning<\/strong>: Parses
\/proc\/net\/tcp<\/code> to find open ports in LISTEN state.<\/li>\n\n\n\n- Process Analysis<\/strong>: Detects suspicious processes referencing
ld.so.preload<\/code>.<\/li>\n\n\n\n- Kernel Module Check<\/strong>: Scans
\/proc\/modules<\/code> for \u201crootkit\u201d-related modules.<\/li>\n\n\n\n- LD Preload Check<\/strong>: Flags if
\/etc\/ld.so.preload<\/code> is being used maliciously.<\/li>\n\n\n\n- Hidden Files Detection<\/strong>: Lists hidden files in root (
\/<\/code>) directory.<\/li>\n\n\n\n- Critical Binary Hashing<\/strong>: Computes MD5 hashes of sensitive binaries like
\/bin\/ls<\/code>, \/bin\/ps<\/code>.<\/li>\n<\/ul>\n\n\n\n\ud83d\udcdd Reporting<\/h3>\n\n\n\n\n- Generates output in text<\/strong>, JSON<\/strong>, and styled HTML<\/strong> formats.<\/li>\n\n\n\n
- Includes timestamps and emojis for quick visual scanning.<\/li>\n\n\n\n
- CLI flags for output format and quiet mode.<\/li>\n<\/ul>\n\n\n\n
\n\n\n\n\ud83c\udd9a How It’s Different from Traditional Tools (e.g., chkrootkit, rkhunter)<\/h3>\n\n\n\nFeature<\/th> mkrootkitscan<\/code><\/th>chkrootkit<\/code> \/ rkhunter<\/code><\/th><\/tr><\/thead>Language<\/td> Go (compiled binary)<\/td> Shell + Perl (scripts, not compiled)<\/td><\/tr> Portability<\/td> Static binary, very portable<\/td> Requires dependencies and config tweaking<\/td><\/tr> Customizability<\/td> Easy to modify <\/td> Harder to extend or modify<\/td><\/tr> Output<\/td> Clean CLI + JSON + HTML<\/td> Mostly terminal text<\/td><\/tr> Real-Time Integration<\/td> Can be embedded into CI\/CD tools<\/td> Not ideal for automation<\/td><\/tr> Modern Style<\/td> Minimal and fast<\/td> Outdated UX, not DevOps-native<\/td><\/tr><\/tbody> <\/td> <\/td> <\/td><\/tr><\/tfoot><\/table><\/figure>\n\n\n\n
\n\n\n\n\ud83c\udfe2 Can It Be Used on Production Servers?<\/h3>\n\n\n\n
Technically yes, but here\u2019s the full picture:<\/strong><\/p>\n\n\n\n\u2705 Strengths for Production:<\/h3>\n\n\n\n\n- Lightweight, no dependencies.<\/li>\n\n\n\n
- Safe reads from
\/proc<\/code>, no invasive operations.<\/li>\n\n\n\n- No installation \u2014 run as a binary or cron job.<\/li>\n\n\n\n
- JSON output is automation-friendly (integrate into monitoring\/alerting systems).<\/li>\n\n\n\n
- Fast \u2014 suitable for cloud instances or containers.<\/li>\n<\/ul>\n\n\n\n
\u26a0\ufe0f Limitations (So Far):<\/h3>\n\n\n\n\n- No rootkit signature database<\/strong> (like rkhunter uses).<\/li>\n\n\n\n
- No heuristic detection<\/strong> (e.g., behavior-based anomalies).<\/li>\n\n\n\n
- Limited file\/path coverage<\/strong> \u2014 it scans only a few binaries and top-level
\/<\/code>.<\/li>\n\n\n\n- No logging or alerting mechanism<\/strong> (you\u2019d need to hook this into a SIEM or alert system).<\/li>\n\n\n\n
- No check for file permission anomalies, syscall hooks, or kernel-level stealth techniques<\/strong> (common in real rootkits).<\/li>\n<\/ul>\n\n\n\n
\n\n\n\n\ud83d\udee0\ufe0f How to Make It Production-Ready (Future Roadmap)<\/h3>\n\n\n\nArea<\/th> What to Add<\/th><\/tr><\/thead> Logging<\/td> Syslog support or file logging<\/td><\/tr> Alerts<\/td> Email, Slack, or webhook alert when issues found<\/td><\/tr> Scheduled Runs<\/td> Set up as a cron job or systemd service<\/td><\/tr> Config File<\/td> Allow user config for paths, thresholds, etc.<\/td><\/tr> File Integrity<\/td> Compare MD5s against known-safe values<\/td><\/tr> Signature Matching<\/td> Maintain JSON DB of known rootkit hashes or names<\/td><\/tr> Behavioral Analysis<\/td> Flag anomalous port\/process behavior over time<\/td><\/tr> OS Support<\/td> Expand compatibility testing (e.g., Ubuntu, CentOS)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n\ud83d\ude4b\u200d\u2642\ufe0f Author<\/h3>\n\n\n\n