Rootkit Hunter, or rkhunter, detects over 240 rootkits – pieces of malware designed to gain control of a system. However, while testing for rootkits may be rkhunter's main purpose, it is far from the only one. You can see the list of the names of the various tests run by the script by entering rkhunter --list (Figure 1) [1]. Mostly, the tests' names are self-explanatory. They include checks not only for rootkits, but also changed or deleted libraries and commands, hidden ports, loaded kernel modules, and several dozen other aspects of a system besides.

Rkhunter is written for generic Unix systems with a Bourne-type shell, such as Bash or ksh. Since its tests depend on online databases, it also requires an Internet connection. It is available in major Linux distributions and can be run from the command line, or as a cron job. Note that some distributions, such as Debian and its derivatives, may not install some of the Perl packages needed for a few of the tests. You can see what functionality may be missing by running rkhunter --list (Figure 2) and will then have to figure out which packages support the missing functionality. These packages, of course, may have different names depending on your distribution.

Setup and Configuration

If you install rkhunter from outside your distro's standard repositories, you can make sure that you always have the latest version by running rkhunter --versioncheck to help ensure your system's security. With most commands, I would always recommend that you not run the repository version, but rkhunter is so slow to release that in many cases the latest version is contained in a distro's repository (see below). Currently, for example, even Debian, whose software versions often lag behind those of other distributions, has the latest rkhunter release in its official release.

[...]