Hunting for rootkits
Security - Security Tools

Rootkit Hunter

Rootkit Hunter performs a more comprehensive check than chkrootkit, and takes somewhat longer to run. If your distro's package repository doesn't have it, you can download it from the author's website. Verify the file with the md5sum command.

To perform a check of your system, enter:

rkhunter -c


To update Rootkit Hunter, enter:


rkhunter --update


List scans that it performs.


rkhunter - -list

f you do a test and it discovers some programs have changed but you are sure that the changes occurred as the result of an upgrade you will want to upgrade those changes with rkhunter so that it does not continually report those as problems. Note that rkhunter will only be able to tell you that changes have occurred not why they have changed, that is your responsibility to find out.

rkhunter - -propupd

Run without User Input

In order to run rkhunter as a cron job, or without user input, you must make a few modifications. Other wise, during the course of its scan, it will stop several times and ask the user to press "Enter". Use the command:

rkhunter - -cronjob

Report only Problems
You can run rkhunter so that it will only report problems that it discovers.

rkunter - -cronjob --rwo


Email Your Account
You will need to edit two lines to enter your email and check your mail command header setting. This command will work for Sendmail but not Postfix.

MAIL-ON-WARNING= This e-mail address is being protected from spambots. You need JavaScript enabled to view it root@mydomain
MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"

If you are using Postfix as the mail server you will want to modify the default line so it looks like this:


This is the message you will receive is there is a problem.

”Please inspect this machine, because it may be infected.


False Positives

You may have to uncomment lines in the rkhunter.conf file to allow for some hidden directories.










Install rkhunter


Step #1 - Uncompress and Untar the Program


tar zxvf rkhunter-1.3.0.tar.gz


Step #2 - Enter the New Directory and Install the Program


cd rkhunter



Step #3 - Run the Program


rkhunter -c


Rootkit Hunter 1.3.0 is running


Determining OS... Ready


Checking binaries

* Selftests

Strings (command) [ OK ]


* System tools

Performing 'known bad' check...

/bin/cat [ OK ]

/bin/chmod [ OK ]



---------------------------- Scan results ----------------------------


MD5 compared: 0

Incorrect MD5 checksums: 0


File scan

Scanned files: 342

Possible infected files: 0


Application scan

Vulnerable applications: 1


Scanning took 163 seconds



Copyright CyberMontana Inc. and
All rights reserved. Cannot be reproduced without written permission. Box 1262 Trout Creek, MT 59874