Packages and Binaries:
The chkrootkit security scanner searches the local system for signs that it is infected with a ‘rootkit’. Rootkits are set of programs and hacks designed to take control of a target machine by using known security flaws.
Types that chkrootkit can identify are listed on the project’s home page.
Please note that where chkrootkit detects no intrusions, this does not guarantee that the system is uncompromised. In addition to running chkrootkit, more specific tests should always be performed.
How to install:
sudo apt install chkrootkit
- debconf | debconf-2.0
Check lastlog-file for deleted entries
root@kali:~# man chklastlog CHKLASTLOG(8) System Manager's Manual CHKLASTLOG(8) NAME chklastlog - check lastlog-file for deleted entries SYNOPSIS chklastlog DESCRIPTION Chklastlog is reading all entries from the file /var/log/wtmp (file with information about logins and logouts) and checks for every user found in this file whether there is an entry in the file /var/log/last- log, too. The program will complain about userids with logins but no lastlogin information. To run chklastlog you need read permission on the files /var/log/wtmp and /var/log/lastlogin. Normally these files are world-readable and no special privileges are required to run the checker. FILES /var/log/wtmp login data base /var/log/lastlog last login times SEE ALSO wtmp(4), who(1), last(1) LIMITATIONS This program only works if the user has not logged in after the dele- tion of their lastlog entry. This program was designed to run on SunOS 4.x systems only. On other systems the output is undefined... 7th Edition Thu Oct 12 1994 CHKLASTLOG(8)
Determine whether the system is infected with a rootkit
root@kali:~# chkrootkit -h Usage: /usr/sbin/chkrootkit [options] [test ...] Options: -h show this help and exit -V show version information and exit -l show available tests and exit -d debug -q quiet mode -x expert mode -e exclude known positives. Quoted white space separated list of files/dirs. Please, read /usr/share/doc/chkrootkit/README.FALSE-POSITIVES previously. -s exclude known false positive sniffer (dhcpd, ntop etc) quoted, space separated. Please, read /usr/share/doc/chkrootkit/README.FALSE-POSITIVES previously. -r dir use dir as the root directory -p dir1:dir2:dirN path for the external commands used by chkrootkit -n skip NFS mounted dirs
Check wtmp-file for deleted entries
Updated on: 2021-Nov-26