rkhunter

rkhunter [--check] [--update] [--propupd] [--list] [options]

rkhunter (Rootkit Hunter) scans Linux systems for rootkits, backdoors, and local exploits. It checks for hidden files, suspicious kernel modules, modified binaries, and other signs of compromise.The tool maintains a database of known malware signatures and file checksums, comparing current system state against known-good values.

-c, --check

Perform system check for rootkits, backdoors, and exploits.

Update data files and malware signatures.

Update file properties database with current values (run after legitimate system changes).

List supported capabilities.

Check for a newer rkhunter version.

Validate configuration file(s).

Don't wait for a keypress between test groups.

Only display warnings.

Optimize output for cron execution (no colors, no keypress).

Use an alternate configuration file.

Write log output to a specific file.

Append to an existing log file instead of overwriting.

Disable specific tests (comma-separated list).

Enable only the specified tests.

Use package manager verification (RPM, DPKG, BSD, SOLARIS, NONE).

Suppress all output.

Disable colored output.

Display version information.

Display help information.

/etc/rkhunter.conf

Main configuration file controlling scan behavior, whitelisted files, update mirrors, and notification settings.

Database directory containing malware signatures, file property hashes, and known-good checksums used for comparison during scans.

Default log file where scan results and warnings are recorded.

Requires regular updates for effectiveness. May produce false positives on customized systems. Run --propupd after legitimate system changes. Log review recommended after checks.

rkhunter was created by Michael Boelen to help system administrators detect rootkits and potential security issues. It's been actively maintained since 2003.

chkrootkit(1), aide(1), tripwire(8)