Forensicsrootkitscannerbackdoorsnifferexploitsecurity

rkhunter

Rootkit Hunter scans systems for known and unknown rootkits, backdoors, sniffers and exploits. It checks for SHA256 hash changes, files commonly created by rootkits, executables with anomalous file permissions, suspicious strings in kernel modules, hidden files in system directories, and can optionally scan within files.

Description

rkhunter is a tool designed to detect rootkits, backdoors, sniffers, and exploits on Linux systems. It performs comprehensive scans to identify signs of compromise by examining various system artifacts that could indicate malicious activity.

Use cases include routine security audits, incident response, and system hardening. Administrators can run it to verify system integrity, especially after suspected breaches or as part of regular maintenance. It is particularly useful for detecting persistence mechanisms like rootkits that hide malicious processes or files.

Note that using rkhunter alone does not guarantee a system is not compromised. It is recommended to run additional tests, such as chkrootkit, for more thorough verification.

How It Works

rkhunter checks SHA256 hash changes to detect modified files, scans for files commonly created by rootkits, inspects executables for anomalous file permissions, looks for suspicious strings in kernel modules, identifies hidden files in system directories, and can optionally scan within files for malicious content. It supports package managers like DPKG to verify file properties and maintains a database of known good hashes updated via --propupd.

Installation

bash

sudo apt install rkhunter

Flags

--append-logAppend to the logfile, do not overwrite

--bindir <directory>...Use the specified command directories

-c, --checkCheck the local system

-C, --config-checkCheck the configuration file(s), then exit

--cs2, --color-set2Use the second color set for output

--configfile <file>Use the specified configuration file

--cronjobRun as a cron job (implies -c, --sk and --nocolors options)

--nomow, --no-mail-on-warningDo not send a message if warnings occur

--ns, --nosummaryDo not show the summary of check results

--novl, --no-verbose-loggingNo verbose logging

--pkgmgr {RPM | DPKG | BSD | BSDng | SOLARIS | NONE}Use the specified package manager to obtain or verify file property values. (Default is NONE)

--propupd [file | directory | package]...Update the entire file properties database, or just for the specified entries

-q, --quietQuiet mode (no output at all)

Examples

Display help and usage information

rkhunter -h

Check the local system for rootkits and other threats

rkhunter --check

Unlock the database for updates

rkhunter --unlock

Update the rkhunter data files

rkhunter --update

Check for the latest version of rkhunter

rkhunter --versioncheck

Update the file properties database

rkhunter --propupd

List available tests

rkhunter --list tests

Check the configuration file(s), then exit

rkhunter --config-check

Updated 2026-04-16kali.org ↗