Rootkits are a kind of malicious software which typically enable access to unauthorized users to a computer. It’s quite difficult to detect a rootkit as it may be able to subvert the software that is intended to find it. rkhunter (Rootkit Hunter) is a Linux utility to detect rootkits (and other system problems).
rkhunter looks for rootkit signatures and uses ClamAV compatible signatures. It also downloads updated signatures and other information from an updated database. In addition to rootkit detection, rkhunter also checks system commands, network, localhost and application versions.
In this tutorial we will explore how to use rkhunter with Ubuntu as the reference platform.
To install rkhunter on Ubuntu, run:
$ sudo apt-get install rkhunter
Start with filling the file properties database:
$ sudo rkhunter --propupd
Run the check:
$ sudo rkhunter -c
rkhunter shows a summary at the end. The full logfile is at /var/log/rkhunter.log. To check if you have any issues in your system search for
warning in the log.