Security automation with rkhunter

Command Line – rkhunter

© Lead Image © Kamirika,

© Lead Image © Kamirika,

Article from Issue 235/2020

The Rootkit Hunter script efficiently checks for malware, with the potential to detect over 240 rootkits.

Rootkit Hunter, or rkhunter, detects over 240 rootkits – pieces of malware designed to gain control of a system. However, while testing for rootkits may be rkhunter's main purpose, it is far from the only one. You can see the list of the names of the various tests run by the script by entering rkhunter --list (Figure 1) [1]. Mostly, the tests' names are self-explanatory. They include checks not only for rootkits, but also changed or deleted libraries and commands, hidden ports, loaded kernel modules, and several dozen other aspects of a system besides.

Rkhunter is written for generic Unix systems with a Bourne-type shell, such as Bash or ksh. Since its tests depend on online databases, it also requires an Internet connection. It is available in major Linux distributions and can be run from the command line, or as a cron job. Note that some distributions, such as Debian and its derivatives, may not install some of the Perl packages needed for a few of the tests. You can see what functionality may be missing by running rkhunter --list (Figure 2) and will then have to figure out which packages support the missing functionality. These packages, of course, may have different names depending on your distribution.

Setup and Configuration

If you install rkhunter from outside your distro's standard repositories, you can make sure that you always have the latest version by running rkhunter --versioncheck to help ensure your system's security. With most commands, I would always recommend that you not run the repository version, but rkhunter is so slow to release that in many cases the latest version is contained in a distro's repository (see below). Currently, for example, even Debian, whose software versions often lag behind those of other distributions, has the latest rkhunter release in its official release.


Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Host-Based IDS

    A host-based intrusion detection system is a simple but powerful tool for finding traces of an attacker's footprint.

  • Expert Security Intro

    Internet intruders have many ingenious ways of escalating privileges and hiding their presence once they get inside your system. The best protection is to keep them out in the cold.

  • Qt4-fsarchiver

    Qt4-fsarchiver lets you back up files, complete partitions, and create disk images with a single mouse click.

  • Trinity Rescue Kit

    Trinity Rescue Kit is driven by the practical requirements of the admin’s daily work, integrating a full set of tools for maintaining and rescuing Linux and Windows PCs.

  • Kernel Rootkits

    Rootkits allow attackers to take complete control of a computer. We describe the tricks intruders use to gain access to the Linux kernel and provide guidelines on hardening the kernel against such attacks.

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95