Rkhunter (Rootkit Hunter) is a security scanning tool designed to detect hidden rootkits, backdoors, worms, and exploits on Unix/Linux systems. It performs filesystem scans, checks system binaries, monitors for suspicious files, and verifies system integrity through multiple detection methods including signature-based detection, file properties verification, and anomalous behavior identification.
# Debian/Ubuntu
sudo apt-get install rkhunter
# RHEL/CentOS
sudo yum install rkhunter
# Fedora
sudo dnf install rkhunter
# From source
wget https://sourceforge.net/projects/rkhunter/files/rkhunter/1.4.6/rkhunter-1.4.6.tar.gz
tar -xzf rkhunter-1.4.6.tar.gz
cd rkhunter-1.4.6
./installer.sh --install
# Verify installation
rkhunter --version
Detection Methods:
- Signature Detection - Compare system files against known rootkit/malware signatures
- File Hash Verification - Detect unauthorized modifications to critical binaries
- System Call Monitoring - Identify suspicious kernel module modifications
- Hidden File Detection - Find files concealed by rootkits
- Port Monitoring - Detect unauthorized network listeners
- Process Analysis - Identify suspicious running processes
| Command | Purpose |
|---|
rkhunter --check | Full system scan with all tests |
rkhunter --check --skip-keypress | Scan without pausing between sections |
rkhunter --check --report-warnings-only | Display only warnings (suppress info messages) |
rkhunter --check --logfile=/tmp/scan.log | Save scan results to logfile |
rkhunter --check --quiet | Minimal output (warnings only) |
rkhunter --check --verbose | Detailed output for each test |
rkhunter -c --report-clean | Include clean test results in output |
| Command | Purpose |
|---|
rkhunter --update | Update malware signatures database |
rkhunter --update --skip-keypress | Update database without prompts |
sudo rkhunter --update | Update with proper permissions |
rkhunter --list | Display available test names |
rkhunter --list all | List all tests in detail |
rkhunter --version | Show version information |
# Test specific components
rkhunter --check --tests rootkits
rkhunter --check --tests backdoors
rkhunter --check --tests ports
rkhunter --check --tests processes
rkhunter --check --tests network
rkhunter --check --tests binaries
rkhunter --check --tests files
| Command | Purpose |
|---|
rkhunter --check --skip rootkits | Skip rootkit detection tests |
rkhunter --check --skip processes | Skip process scanning |
rkhunter --skip-keypress --skip tests1,tests2 | Skip multiple test categories |
Edit /etc/rkhunter.conf for persistent settings:
# View configuration
sudo cat /etc/rkhunter.conf
# Edit configuration
sudo nano /etc/rkhunter.conf
# Common configuration options
MAIL-ON-WARNING="root@localhost" # Email alerts on warnings
COPY_LOG_ON_WARNING="1" # Copy log on detection
DISABLE_TESTS="test1 test2" # Disable specific tests
ENFORCE_HIDDEN_PROCESSES="0" # Hidden process detection level
ALLOW_SYSLOG_OUTPUT="1" # Log to syslog
| Command | Purpose |
|---|
rkhunter --update --prop=changed | Update file properties database |
rkhunter --check --prop-update | Update properties during scan |
rkhunter --download --prop-update | Download signatures then update properties |
# Create baseline of system files
sudo rkhunter --propupd
# Check for unauthorized modifications
rkhunter --check --skip-keypress
# Verify specific binary
rkhunter --check --tests files
# Check file ownership and permissions
ls -la /usr/bin/[command]
stat /usr/bin/[command]
| Command | Purpose |
|---|
rkhunter --check --tests ports | Scan for suspicious listening ports |
rkhunter --check --tests network | Full network analysis |
sudo netstat -tulpn | Manual port verification (complement scan) |
sudo ss -tulpn | Modern socket statistics (ss replaces netstat) |
| Command | Purpose |
|---|
rkhunter --check --tests processes | Analyze running processes |
rkhunter --check --tests backdoors | Scan for backdoor signatures |
rkhunter --check --tests rootkits | Rootkit-specific detection |
ps auxf | Manual process tree inspection |
ps aux | grep -E '^root' | Identify suspicious root processes |
# Verify critical system binaries
rkhunter --check --tests binaries
# Manual verification of binaries
md5sum /usr/bin/[command]
sha256sum /usr/bin/[command]
# Check for suspicious SUID binaries
find / -perm -4000 -type f -ls 2>/dev/null
# Verify system libraries
ldd /usr/bin/[command]
| Command | Purpose |
|---|
rkhunter --check --logfile=/var/log/rkhunter.log | Specify log location |
tail -f /var/log/rkhunter.log | Monitor scan in real-time |
rkhunter --check --report-mode | Format output for reports |
grep WARN /var/log/rkhunter.log | Extract warnings from log |
# Common result types:
# [ROOTKIT.GEN] - Generic rootkit signature match
# [ROOTKIT.SBMOD] - Suspicious kernel module detected
# [SUSPICIOUS] - Unusual file or process behavior
# [WARN] - Warning requiring manual investigation
# [INFO] - Informational message
# [OK] - Test passed successfully
# Typical output interpretation:
# [ROOTKIT.SBMOD] Searching for sniffer's logs... nothing found
# [WARN] ... <file> ... Has a file size that differs from the one in the rkhunter.dat file
# [OK] ... Checking for rootkit files and dirs
# Daily scan at 2 AM
0 2 * * * /usr/bin/rkhunter --check --skip-keypress --report-mode
# Weekly scan every Sunday at 3 AM
0 3 * * 0 /usr/bin/rkhunter --check --skip-keypress --logfile=/var/log/rkhunter-weekly.log
# Run with email notification
0 2 * * * /usr/bin/rkhunter --check --skip-keypress | mail -s "Rkhunter Report" admin@example.com
# Create service file
sudo nano /etc/systemd/system/rkhunter-scan.service
# Create timer file
sudo nano /etc/systemd/system/rkhunter-scan.timer
# Enable and start
sudo systemctl enable rkhunter-scan.timer
sudo systemctl start rkhunter-scan.timer
| Command | Purpose |
|---|
rkhunter --help | Display help and all options |
rkhunter --check --debug | Enable debug output |
rkhunter --check --color=on | Enable colored output |
rkhunter --check --color=off | Disable colored output |
rkhunter --show-logfile | Display last scan logfile |
rkhunter --clean | Clean temporary files |
# Run only critical tests (faster)
rkhunter --check --skip-keypress --tests rootkits,backdoors,ports
# Exclude slow tests
rkhunter --check --skip keypress,lkm
# Use multiple cores (if available)
# Edit /etc/rkhunter.conf for CONCURRENT settings
# Configure for OSSEC monitoring
# Add to /etc/rkhunter.conf
MAIL-ON-WARNING="wazuh@monitor"
COPY_LOG_ON_WARNING="1"
# Monitor rkhunter logs with OSSEC
tail -f /var/log/rkhunter.log | wazuh-control start
# Fix "filesystem is immutable" warnings
lsattr [file]
chattr -i [file]
# Handle false positives
# Edit /etc/rkhunter.conf and add ALLOWHIDDEN for known files
# Enable verbose output for debugging
rkhunter --check --verbose --skip-keypress
# Check rkhunter.dat for outdated signatures
sudo rkhunter --update
- Always update signatures before scanning:
sudo rkhunter --update
- Run scans during low-activity periods to minimize performance impact
- Review warnings carefully - some may require manual investigation
- Maintain baseline of clean system properties:
sudo rkhunter --propupd
- Keep logs for compliance and incident investigation
- Use in conjunction with other security tools (Aide, Lynis, ClamAV)
- Never ignore repeated warnings - investigate root cause
sudo rkhunter --update --skip-keypress
sudo rkhunter --check --skip-keypress --logfile=/var/log/rkhunter-$(date +%Y%m%d).log
sudo rkhunter --check --verbose --skip-keypress --report-mode > /tmp/forensics-report.txt
while true; do
sudo rkhunter --check --quiet
sleep 86400
done
- AIDE - File integrity monitoring
- Lynis - Security auditing framework
- ClamAV - Antivirus scanning
- Chkrootkit - Alternative rootkit detector
- OSSEC/Wazuh - Host-based intrusion detection
