rkhunter

Check a system for rootkits and malware

$ sudo rkhunter --check

$ sudo rkhunter --update

$ sudo rkhunter --list

$ sudo rkhunter --versioncheck

$ sudo rkhunter --help

rkhunter [options]
Example: rkhunter --check
Example: rkhunter --update

--check
    Executes a full system scan for rootkits, backdoors, and other anomalies. This is the primary usage mode.

--update
    Updates the data files used by rkhunter (e.g., rootkit definitions, backdoor signatures, file properties). Requires internet connectivity.

--propupdate
    Updates the file properties database for files that have changed legitimately (e.g., after system updates or software installations) to prevent false positives.

--versioncheck
    Checks the rkhunter website for a new version of the program.

--list [test]
    Lists the available tests categories or, if a test category is specified, lists the files associated with that test.

--quiet
    Suppresses informational messages, only displaying warnings and errors during the scan.

--report-warnings-only
    Similar to --quiet, but explicitly only reports warnings, excluding informational messages.

--disable [test,...]
    Disables one or more specific tests from being performed during a scan. Tests are comma-separated.

--enable [test,...]
    Enables one or more specific tests, overriding any default disabling in the configuration.

--skip-keypress
    Prevents rkhunter from pausing and requiring a keypress during checks. Useful for scripting.

--clean
    Deletes all temporary files created by rkhunter during its operation.

--configure
    Launches the configuration file generator, allowing interactive setup of rkhunter.

--display-config
    Displays the current configuration settings that rkhunter is using.

--version
    Shows the installed version number of rkhunter.

--help
    Displays the help message with a list of available options.

rkhunter (Rootkit Hunter) is a free and open-source command-line tool for Linux and UNIX-like systems. It performs comprehensive scans to detect various types of malicious software, including rootkits, backdoors, sniffers, and local exploits.

The tool operates by comparing various system characteristics against a database of known rootkit signatures, hashes, and patterns. These checks include:
- Comparing SHA-1 hashes of critical system binaries against a known good database.
- Looking for hidden files and directories.
- Checking for incorrect file permissions on executables.
- Scanning for suspicious strings in kernel modules.
- Checking for common rootkit files and directories.
- Analyzing network ports and system processes for suspicious activity.

rkhunter is an essential component of a layered security strategy, helping system administrators identify compromises that might otherwise go unnoticed. Regular execution and database updates are crucial for its effectiveness.

- Not Real-time Prevention: rkhunter is a detection tool, not a prevention tool. It detects compromises after they have occurred, not prevents them.
- False Positives: It can sometimes report legitimate system changes as warnings, especially after system updates. Regular use of --propupdate mitigates this.
- Database Dependency: Its effectiveness heavily relies on regularly updated databases. Outdated databases may fail to detect new threats.
- Rootkit Hiding: A sophisticated rootkit on an already compromised system might hide itself from detection by tools like rkhunter. For critical investigations, running from a trusted live environment is recommended.
- Baseline Needed: For optimal results, rkhunter should ideally be run on a freshly installed, clean system to establish a trustworthy baseline.

rkhunter is widely available in the official package repositories of most Linux distributions. You can typically install it using your distribution's package manager, for example:
- Debian/Ubuntu: sudo apt install rkhunter
- Red Hat/CentOS/Fedora: sudo yum install rkhunter or sudo dnf install rkhunter
After installation, it's highly recommended to run sudo rkhunter --update to download the latest threat definitions.

- Regular Updates: Always run sudo rkhunter --update frequently (e.g., daily) to ensure you have the latest rootkit definitions.
- Scheduled Scans: Automate scans via cron jobs (e.g., daily or weekly) using sudo rkhunter --check --skip-keypress.
- Property Updates: After kernel updates, system upgrades, or significant software installations, run sudo rkhunter --propupdate to update the file properties database and avoid numerous false positives.
- Review Logs: Always review the scan results and log files (usually in /var/log/rkhunter.log) for any warnings or suspicious findings.

rkhunter was initially developed by Michael Boelen and released in 2003. It quickly gained popularity within the Linux and UNIX security communities as a vital tool for identifying system compromises. As an open-source project, it has benefited from community contributions and ongoing maintenance, allowing it to adapt to new rootkit techniques and maintain its relevance in the ever-evolving threat landscape. Its design focuses on simplicity and effectiveness, making it accessible to both experienced administrators and security enthusiasts.

chkrootkit(8), lynis(8), aide(1), clamav(1), auditd(8)