Rootkit Hunter – Rootkit and Backdoor Scanner for Linux

Rootkit Hunter – Rootkit and Backdoor Scanner for Linux. rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in online databases, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules, and special tests for Linux and FreeBSD.

The tool has been written in Bourne shell, to allow for portability. It can run on almost all UNIX-derived systems.

Clean Install

Please do a clean install of your operating system as RKH and other scanning tools work best on a clean install.

The propupd command can only be trusted on a clean install. However, a scan on an existing install will still reveal root kits.

Prior to doing a clean install, you will need a RKH tarball on a media and
<optional> the downloads of skdet and unhide.

Optional installs prior to RKH

After doing a clean install, suggest you install the tools

  • skdet
  • unhide

These tools are optional, so if not found, additional tests using these tools are skipped.

skdet offer jump link to unhide as well. All those pages offer link back to this page.

Install RKH executable

$ su -     
#  cd /media/gordon/lexar (your pathway to tarball)
# tar zxvf rkh*.gz
# cd rkh*
# sh installer.sh --layout default --install

During the install if you lack a component the installer should report an error.
Note it is not testing for any extra components installed such as unhide.

For more options try

# ./install --help

For example

" # ./installer.sh --show --layout default

Install into: /usr/local
Application: /usr/local/bin
Configuration file: /etc
Documents: /usr/local/share/doc/rkhunter-1.4.2 (Directory will be created)
Man page: /usr/local/share/man/man8
Scripts: /usr/local/lib64/rkhunter/scripts (Directory will be created)
Databases: /var/lib/rkhunter/db (Directory will be created)
Signatures: /var/lib/rkhunter/db/signatures (Directory will be created)
Temporary files: /var/lib/rkhunter/tmp (Directory will be created)

For 64 bit OS please read the README -OR- you could try

" # sh installer.sh --layout custom /opt --install

Checking system for:
Rootkit Hunter installer files: found
A web file download command: wget found
Starting installation:
Checking installation Directory “/opt”: it exists and is writable.
Checking installation Directories:
Directory /opt/share/doc/rkhunter-1.4.2: creating: OK
Directory /opt/share/man/man8: creating: OK
Directory /opt/etc: creating: OK
Directory /opt/bin: creating: OK
Directory /opt/lib64: creating: OK
Directory /opt/var/lib: creating: OK
Directory /opt/lib64/rkhunter/scripts: creating: OK
Directory /opt/var/lib/rkhunter/db: creating: OK
Directory /opt/var/lib/rkhunter/tmp: creating: OK
Directory /opt/var/lib/rkhunter/db/i18n: creating: OK
Directory /opt/var/lib/rkhunter/db/signatures: creating: OK
Installing check_modules.pl: OK
Installing filehashsha.pl: OK
Installing stat.pl: OK
Installing readlink.sh: OK
Installing backdoorports.dat: OK
Installing mirrors.dat: OK
Installing programs_bad.dat: OK
Installing suspscan.dat: OK
Installing rkhunter.8: OK
Installing ACKNOWLEDGMENTS: OK
Installing CHANGELOG: OK
Installing FAQ: OK
Installing LICENSE: OK
Installing README: OK
Installing language support files: OK
Installing ClamAV signatures: OK
Installing rkhunter: OK
Installing rkhunter.conf: OK
Installation complete

Your config is under /opt/etc and the tail of my config shows

INSTALLDIR=/opt
DBDIR=/opt/var/lib/rkhunter/db
SCRIPTDIR=/opt/lib64/rkhunter/scripts
TMPDIR=/opt/var/lib/rkhunter/tmp
USER_FILEPROP_FILES_DIRS=/opt/etc/rkhunter.conf

Suggest you also sym link your opt manpage

" # ln -s /opt/share/man/man8/rkhunter.8 /usr/share/man/man8

Opt was not in my bin pathway so here is one way to change it.

" # PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin"
# export PATH

Log out and back in then run

" $ su -
# echo $PATH

should now show /opt/bin pathway

" # rkhunter -c -sk (example command only)

Official Page

  • https://sourceforge.net/projects/rkhunter/
Shares

Leave a Reply