rkhunter

Check system for rootkits

$ sudo rkhunter --check

$ sudo rkhunter --update

$ sudo rkhunter --list

$ sudo rkhunter --versioncheck

$ sudo rkhunter --help

rkhunter [--check] [--update] [--propupd] [--list] [options]

rkhunter (Rootkit Hunter) scans Linux systems for rootkits, backdoors, and local exploits. It checks for hidden files, suspicious kernel modules, modified binaries, and other signs of compromise.
The tool maintains a database of known malware signatures and file checksums, comparing current system state against known-good values.

--check

Perform system check

Update malware signatures

Update file properties database

List available tests

Check for updates

Don't wait for keypress

Only show warnings

Write to specific log file

/etc/rkhunter.conf

Main configuration file controlling scan behavior, whitelisted files, update mirrors, and notification settings.

Database directory containing malware signatures, file property hashes, and known-good checksums used for comparison during scans.

Default log file where scan results and warnings are recorded.

Requires regular updates for effectiveness. May produce false positives on customized systems. Run --propupd after legitimate system changes. Log review recommended after checks.

rkhunter was created by Michael Boelen to help system administrators detect rootkits and potential security issues. It's been actively maintained since 2003.

chkrootkit(1), aide(1), tripwire(8)