Skip to content

Rootkit Hunter

RootKit Hunter is a Unix-based shell script that can scan the local system for rootkits, backdoors and possible local exploits. It does this by comparing the SHA-1 hashes of the local files with the known good hashes in an online database. It can also monitor the local system commands, startup files, network interfaces for any alteration as well as listening applications.

Install Rootkit Hunter:

sudo apt install rkhunter

Edit the config file:

sudo nano /etc/rkhunter.conf

Make sure the following are set:

UPDATE_MIRRORS=1
MIRRORS_MODE=0
WEB_CMD=""
ALLOW_SSH_PROT_V1=0

Edit the following file to enable cron jobs:

sudo nano /etc/default/rkhunter

Make sure the following are set:

CRON_DAILY_RUN="true"
CRON_DB_UPDATE=true"
APT_AUTOGEN="true"

Check the configuration:

sudo rkhunter -C

Check that we have the latest rootkit definitions:

sudo rkhunter --update

Check that the version we have is up to date:

sudo rkhunter --versioncheck

RKHhunter compares various current file properties of various commands within the system against those it has previously stored. To update rkhunter data file of stored values with the current values, run the rkhunter with --propupd option.

sudo rkhunter --propupd

And finally, check the system:

sudo rkhunter --check

To avoid having to press ENTER for every check, you can pass the --sk or --skip-keypress option.

To display warning messages only, use the --rwo or --report-warnings-only option.

The log file is stored at /var/log/rkhunter.log

You may also want to send the results via Email in case a threat is found on your system. To do so, edit the config file:

sudo nano /etc/rkhunter.conf

and set the following:

MAIL-ON-WARNING=username@domain
MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"