Rootkit Hunter – Rootkit and Backdoor Scanner for Linux. rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in online databases, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules, and special tests for Linux and FreeBSD.
The tool has been written in Bourne shell, to allow for portability. It can run on almost all UNIX-derived systems.
Please do a clean install of your operating system as RKH and other scanning tools work best on a clean install.
The propupd command can only be trusted on a clean install. However, a scan on an existing install will still reveal root kits.
Prior to doing a clean install, you will need a RKH tarball on a media and
<optional> the downloads of skdet and unhide.
Optional installs prior to RKH
After doing a clean install, suggest you install the tools
These tools are optional, so if not found, additional tests using these tools are skipped.
skdet offer jump link to unhide as well. All those pages offer link back to this page.
Install RKH executable
$ su - # cd /media/gordon/lexar (your pathway to tarball) # tar zxvf rkh*.gz # cd rkh* # sh installer.sh --layout default --install
During the install if you lack a component the installer should report an error.
Note it is not testing for any extra components installed such as unhide.
For more options try
# ./install --help
" # ./installer.sh --show --layout default
Install into: /usr/local
Configuration file: /etc
Documents: /usr/local/share/doc/rkhunter-1.4.2 (Directory will be created)
Man page: /usr/local/share/man/man8
Scripts: /usr/local/lib64/rkhunter/scripts (Directory will be created)
Databases: /var/lib/rkhunter/db (Directory will be created)
Signatures: /var/lib/rkhunter/db/signatures (Directory will be created)
Temporary files: /var/lib/rkhunter/tmp (Directory will be created)
For 64 bit OS please read the README -OR- you could try
" # sh installer.sh --layout custom /opt --install
Checking system for:
Rootkit Hunter installer files: found
A web file download command: wget found
Checking installation Directory “/opt”: it exists and is writable.
Checking installation Directories:
Directory /opt/share/doc/rkhunter-1.4.2: creating: OK
Directory /opt/share/man/man8: creating: OK
Directory /opt/etc: creating: OK
Directory /opt/bin: creating: OK
Directory /opt/lib64: creating: OK
Directory /opt/var/lib: creating: OK
Directory /opt/lib64/rkhunter/scripts: creating: OK
Directory /opt/var/lib/rkhunter/db: creating: OK
Directory /opt/var/lib/rkhunter/tmp: creating: OK
Directory /opt/var/lib/rkhunter/db/i18n: creating: OK
Directory /opt/var/lib/rkhunter/db/signatures: creating: OK
Installing check_modules.pl: OK
Installing filehashsha.pl: OK
Installing stat.pl: OK
Installing readlink.sh: OK
Installing backdoorports.dat: OK
Installing mirrors.dat: OK
Installing programs_bad.dat: OK
Installing suspscan.dat: OK
Installing rkhunter.8: OK
Installing ACKNOWLEDGMENTS: OK
Installing CHANGELOG: OK
Installing FAQ: OK
Installing LICENSE: OK
Installing README: OK
Installing language support files: OK
Installing ClamAV signatures: OK
Installing rkhunter: OK
Installing rkhunter.conf: OK
Your config is under /opt/etc and the tail of my config shows
Suggest you also sym link your opt manpage
" # ln -s /opt/share/man/man8/rkhunter.8 /usr/share/man/man8
Opt was not in my bin pathway so here is one way to change it.
" # PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin" # export PATH
Log out and back in then run
" $ su - # echo $PATH
should now show /opt/bin pathway
" # rkhunter -c -sk (example command only)