Packages and Binaries:


The chkrootkit security scanner searches the local system for signs that it is infected with a ‘rootkit’. Rootkits are set of programs and hacks designed to take control of a target machine by using known security flaws.

Types that chkrootkit can identify are listed on the project’s home page.

Please note that where chkrootkit detects no intrusions, this does not guarantee that the system is uncompromised. In addition to running chkrootkit, more specific tests should always be performed.

Installed size: 972 KB
How to install: sudo apt install chkrootkit

  • binutils
  • debconf
  • debconf | debconf-2.0
  • libc6
  • net-tools
  • openssh-client
  • procps

Check lastlog-file for deleted entries

root@kali:~# man chklastlog
CHKLASTLOG(8)               System Manager's Manual              CHKLASTLOG(8)

       chklastlog - check lastlog-file for deleted entries


       Chklastlog  is  reading  all  entries from the file /var/log/wtmp (file
       with information about logins and logouts) and checks  for  every  user
       found in this file whether there is an entry in the file /var/log/last-
       log, too. The program will complain about userids with  logins  but  no
       lastlogin information.

       To  run  chklastlog you need read permission on the files /var/log/wtmp
       and /var/log/lastlogin. Normally these files are world-readable and  no
       special privileges are required to run the checker.

       /var/log/wtmp       login data base
       /var/log/lastlog    last login times

       wtmp(4), who(1), last(1)

       This  program  only works if the user has not logged in after the dele-
       tion of their lastlog entry.

       This program was designed to run on SunOS 4.x systems  only.  On  other
       systems the output is undefined...

7th Edition                     Thu Oct 12 1994                  CHKLASTLOG(8)


Determine whether the system is infected with a rootkit

root@kali:~# chkrootkit -h
Usage: /usr/sbin/chkrootkit [options] [test ...]
        -h                show this help and exit
        -V                show version information and exit
        -l                show available tests and exit
        -d                debug
        -q                quiet mode
        -x                expert mode
        -e                exclude known positives. Quoted white space separated list of files/dirs.
                          Please, read /usr/share/doc/chkrootkit/README.FALSE-POSITIVES previously.
        -s                exclude known false positive sniffer (dhcpd, ntop etc) quoted, space separated.
                          Please, read /usr/share/doc/chkrootkit/README.FALSE-POSITIVES previously.
        -r dir            use dir as the root directory
        -p dir1:dir2:dirN path for the external commands used by chkrootkit
        -n                skip NFS mounted dirs


Check wtmp-file for deleted entries

Updated on: 2021-Nov-26