Rootkit Hunter

Rootkit Hunter performs a more comprehensive check than chkrootkit, and takes somewhat longer to run. If your distro's package repository doesn't have it, you can download it from the author's website. Verify the file with the md5sum command.

To perform a check of your system, enter:

rkhunter -c

To update Rootkit Hunter, enter:

rkhunter --update

List scans that it performs.

rkhunter - -list

If you do a test and it discovers some programs have changed but you are sure that the changes occurred as the result of an upgrade you will want to upgrade those changes with rkhunter so that it does not continually report those as problems. Note that rkhunter will only be able to tell you that changes have occurred not why they have changed, that is your responsibility to find out.

rkhunter - -propupd

Run without User Input

In order to run rkhunter as a cron job, or without user input, you must make a few modifications. Other wise, during the course of its scan, it will stop several times and ask the user to press "Enter". Use the command:

rkhunter - -cronjob

Report only Problems
You can run rkhunter so that it will only report problems that it discovers.

rkunter - -cronjob --rwo

Email Your Account
You will need to edit two lines to enter your email and check your mail command header setting. This command will work for Sendmail but not Postfix.

MAIL-ON-WARNING= This e-mail address is being protected from spambots. You need JavaScript enabled to view it root@mydomain
MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"

If you are using Postfix as the mail server you will want to modify the default line so it looks like this:
MAIL_CMD=/usr/sbin/sendmail

This is the message you will receive is there is a problem.

”Please inspect this machine, because it may be infected.”

False Positives

You may have to uncomment lines in the rkhunter.conf file to allow for some hidden directories.

#ALLOWHIDDENDIR=/etc/.java

ALLOWHIDDENDIR=/dev/.udev

#ALLOWHIDDENDIR=/dev/.udevdb

#ALLOWHIDDENDIR=/dev/.udev.tdb

ALLOWHIDDENDIR=/dev/.static

ALLOWHIDDENDIR=/dev/.initramfs

#ALLOWHIDDENDIR=/dev/.SRC-unix

Install rkhunter

Step #1 - Uncompress and Untar the Program

tar zxvf rkhunter-1.3.0.tar.gz

Step #2 - Enter the New Directory and Install the Program

cd rkhunter

./installer.sh

Step #3 - Run the Program

rkhunter -c

Rootkit Hunter 1.3.0 is running

Determining OS... Ready

Checking binaries

* Selftests

Strings (command) [ OK ]

* System tools

Performing 'known bad' check...

/bin/cat [ OK ]

/bin/chmod [ OK ]

---cut---

---------------------------- Scan results ----------------------------

MD5

MD5 compared: 0

Incorrect MD5 checksums: 0

File scan

Scanned files: 342

Possible infected files: 0

Application scan

Vulnerable applications: 1

Scanning took 163 seconds

-----------------------------------------------------------------------