Scanning for root kits with RKHunter

Expertise: Medium

Rootkit Hunter, also known as RKHunter, is a rootkit scanner for Linux. A rootkit is a malicious stealthy program, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer. A server infected with a rootkit is thereby compromised at a system level. Follow these instructions to scan your server for this type of compromise:

1 - Install RKHunter

You will need to be logged in as root to the server over SSH. Make sure to replace the download command below with the latest version of RKHunter.

cd /usr/local/src/
cd rkhunter*
./ --layout default --install
 cd .. && rm -rf rkhunter-*

2 - Update to the latest version and signatures:

/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter --propupd

3 - Run the scan

/usr/local/bin/rkhunter --check --sk --logfile /tmp/rkhunter.log

4 - Verify the scan report

egrep -i "warning:|\[ warning \]" /tmp/rkhunter.log && awk '/System checks summary/ {f=1}f' /tmp/rkhunter.log

Some warnings for "command replaced by a script", "Hidden file" or "Hidden directory" could be false positive. They need to be checked manually.

However, the system checks summary "Possible rootkits" should be 0. 

5 - If the server is infected

A server infected with a rootkit is thereby compromised at a system level. If a rootkit has been detected, the server should be re-installed and all passwords should be changed immediately after the re-installation.

6 - Advanced configurations:

/etc/rkhunter.conf can be configured to send scan report by email, or disable some warning such as SSH root login allowed, or allows specific hidden dir.

More information is available in /etc/rkhunter.conf or

Have more questions? Submit a request


Article is closed for comments.
Powered by Zendesk