Home
Open Source
How to Install and Use rkhunter on Linux for Rootkit Scanning

How to Install and Use rkhunter on Linux for Rootkit Scanning

Arslan GÜRALCyber Security, Open Source, Linux3 days ago52 Views

How to Install and Use rkhunter on Linux for Rootkit Scanning

Published on: April 5, 2025

📢 Introduction: Linux Security and Rootkits

Linux systems are known for their robust security features. However, malicious software such as rootkits can compromise even the most secure environments by operating at the kernel level.

In this guide, you’ll learn how to install and use rkhunter (Rootkit Hunter), a powerful open-source tool designed to detect rootkits, backdoors, and local exploits on Linux systems.

🔍 What is rkhunter?

rkhunter (Rootkit Hunter) is an open-source security tool used to scan Linux systems for signs of rootkits, backdoors, and other security vulnerabilities. It works by checking system binaries, files, and processes for known signatures of malicious software.

🧰 How to Install rkhunter on Debian/Ubuntu-Based Systems

Follow these steps to easily install rkhunter on your Linux system:

Step 1: Update Package List

sudo apt update

Step 2: Install rkhunter

sudo apt install rkhunter -y

Step 3: Update rkhunter Database

sudo rkhunter --update

🔍 How to Perform a Rootkit Scan with rkhunter

1. Basic Scan (Quick Check)

sudo rkhunter --check

2. Full System Scan (All Checks)

sudo rkhunter --check --sk

–sk stands for “skip all prompts” — this runs the scan automatically.

3. Scan Specific Sections Only

sudo rkhunter --check --system-language en --skip-keypress --enable all --disable none

📋 How to Read rkhunter Scan Results

After the scan completes, you may see output like this:

[Rootkit Hunter version 1.4.6]

Checking system for rootkits...

Possible rootkit installed: Possible Linux/Ebury - Based SSH Trojan

Common Warnings and Their Meanings

Warning	Meaning
`Possible rootkit installed`	A rootkit might be present on your system.
`Application 'ps' has been modified`	The `ps` command might have been tampered with.
`Hidden file found`	A hidden file or directory was detected.
`Suggested action`	Recommended steps to take based on the warning.

🧪 How to View rkhunter Logs

rkhunter saves all scan results in a log file. You can view it with the following command:

cat /var/log/rkhunter/rkhunter.log

🧹 Post-Scan Actions

If rkhunter detects a potential threat:

Verify the results: Confirm whether the warning is a false positive or a real threat.
Close security gaps: Update outdated software and disable unnecessary services.
Run additional scans: Use tools like chkrootkit for cross-verification.
Reinstall the system: If a serious threat is found, consider a fresh OS installation.

🧩 Additional Security Tools

1. Run chkrootkit for Extra Scanning

sudo apt install chkrootkit -y
sudo chkrootkit

2. Check System Logs

journalctl -xe

3. Inspect Network Connections

ss -tulnp

📝 Summary

Topic	Description
What is rkhunter?	A tool to detect rootkits, backdoors, and local exploits
Installation	Installed via `apt install rkhunter`
Scanning	Use `rkhunter --check` for scanning
Log File	Located at `/var/log/rkhunter/rkhunter.log`
Extra Tools	Use `chkrootkit` for additional scanning