Scanning for root kits with RKHunter

Expertise: Medium

Rootkit Hunter, also known as RKHunter, is a rootkit scanner for Linux. A rootkit is a malicious stealthy program, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer. A server infected with a rootkit is thereby compromised at a system level. Follow these instructions to scan your server for this type of compromise:

1 - Install RKHunter

You will need to be logged in as root to the server over SSH. Make sure to replace the download command below with the latest version of RKHunter (

cd /usr/local/src/
tar -zxvf rkhunter-1.4.6.tar.gz
cd rkhunter*
./ --layout default --install
 cd .. && rm -rf rkhunter-*

2 - Update to the latest version and signatures:

/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter --propupd

3 - Run the scan

/usr/local/bin/rkhunter --check --sk --logfile /tmp/rkhunter.log

4 - Verify the scan report

egrep -i "warning:|\[ warning \]" /tmp/rkhunter.log && awk '/System checks summary/ {f=1}f' /tmp/rkhunter.log

Some warnings for "command replaced by a script", "Hidden file" or "Hidden directory" could be false positive. They need to be checked manually.

However, the system checks summary "Possible rootkits" should be 0. 

5 - If the server is infected

A server infected with a rootkit is thereby compromised at a system level. If a rootkit has been detected, the server should be re-installed and all passwords should be changed immediately after the re-installation.

6 - Advanced configurations:

/etc/rkhunter.conf can be configured to send scan report by email, or disable some warning such as SSH root login allowed, or allows specific hidden dir.

More information is available in /etc/rkhunter.conf or


Article is closed for comments.
Powered by Zendesk