Scanning for Rootkits

What are Rootkits

What is rkhunter

RKhunter (Rootkit Hunter) is a Unix/Linux-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of core operating system files with known good files against its’ database. It searches for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules, and conducts additional tests for Linux and FreeBSD.


Ubuntu have an older version of rkhunter available in their repositories, and I found that if you install this, it will report that a newer version is available but will not easily update to it using apt-get. The best way to install it therefore is to download the installer file from the rkhunter sourceforge page. Save the downloaded file to your server, and use the following commands to run the installer; when you extract the tar file it will create a rkhunter directory, which you must change into in order to run the installer.

cd ~/Downloads
tar xvfz rkhunter
cd rkhunter
sudo ./ --install


Once you have installed the package, feel free to move back out of the directory and delete it. Next you want to check the version you have is the latest, update its database, and finally run a scan against your system.

sudo rkhunter --versioncheck
sudo rkhunter --update --propupd
sudo rkhunter --checkall


Unless you also used the –skip-keypress parameter rkhunter will prompt you to continue a few times during the scan. Once it completes it presents a report page giving a summary of its findings, and also saves its report to /var/log/rkhunter.log. It would be well worth reading this report, using less, to see what rootkits and security vulnerabilities it found on your system. Note that for security reasons this file is readable only by the root user, so if you are not root you will need to use sudo to access it.

sudo less /var/log/rkhunter.log