Install and Configure Rootkit Hunter in Linux

In this article, we want to teach you to install and Configure Rootkit Hunter (rkhunter) in Linux.

RK Hunter which stands for Rootkit Hunter is an open-source Linux and Unix-based scanner for Linux systems released under GPL that scans backdoors, rootkits, and local exploits on your systems.

It scans hidden files, wrong permissions set on binaries, suspicious strings in the kernel, etc.

Steps To Install and Configure Rootkit Hunter in Linux

Here you can start to install Rootkit Hunter on the Linux system.

In this part, we want to show you how to install Rootkit Hunter on RPM packages for Centos, RedHat, AlmaLinux, etc., and DEB packages for Debian, Ubuntu, etc.

We run commands as a root user, if you are a non-root user be sure that you have sudo privileges.

Step 1- Set Up Rootkit Hunter on AlmaLinux / Centos / RHEL

First, you need to download the latest version of the Rootkit Hunter tool by visiting the Rootkit Hunter project page.

Navigate to the tmp directory, copy the link address of Rootkit Hunter, and put it in the following wget command:

cd /tmp
wget https://sourceforge.net/projects/rkhunter/files/rkhunter/1.4.6/rkhunter-1.4.6.tar.gz/downloadhttps://sourceforge.net/projects/rkhunter/files/rkhunter/1.4.6/

Note: If you don’t have the wget tool, you need to install it first on your server with the following command:

# dnf install wget
or
# yum install wget

After this, execute the wget command above to download the latest version of Rootkit Hunter in Linux.

When you are finished downloading the Rootkit Hunter, then, you can start to install it.

Run the following commands to install the Rootkit Hunter. Extract your downloaded file with the command below:

tar -xvf rkhunter-1.4.6.tar.gz

Switch to the rkhunter directory:

cd rkhunter-1.4.6

Next, run the installer script:

./installer.sh --layout default --install

In your output, you should see:

Output
Checking system for:
Rootkit Hunter installer files: found
A web file download command: wget found
Starting installation:
Checking installation directory "/usr/local": it exists and is writable.
Checking installation directories:
Directory /usr/local/share/doc/rkhunter-1.4.6: creating: OK
Directory /usr/local/share/man/man8: exists and is writable.
Directory /etc: exists and is writable.
...
Installing ACKNOWLEDGMENTS: OK
Installing CHANGELOG: OK
Installing FAQ: OK
Installing LICENSE: OK
Installing README: OK
Installing language support files: OK
Installing ClamAV signatures: OK
Installing rkhunter: OK
Installing rkhunter.conf: OK
Installation complete

When you are done with the installation of the Rootkit Hunter, you need to update it.

Update Rootkit Hunter on AlmaLinux / Centos / RHEL

You can use the rkhunter updater to fill the database properties in Linux. To do this, run the command below:

/usr/local/bin/rkhunter --update
Output
[ Rootkit Hunter version 1.4.6 ]
Checking rkhunter data files...
Checking file mirrors.dat [ Updated ]
Checking file programs_bad.dat [ No update ]
Checking file backdoorports.dat [ No update ]
Checking file suspscan.dat [ No update ]
Checking file i18n/cn [ No update ]
Checking file i18n/de [ No update ]
Checking file i18n/en [ No update ]
Checking file i18n/tr [ No update ]
Checking file i18n/tr.utf8 [ No update ]
Checking file i18n/zh [ No update ]
Checking file i18n/zh.utf8 [ No update ]
Checking file i18n/ja [ No update ]

Then run the following command:

/usr/local/bin/rkhunter --propupd
Output
[ Rootkit Hunter version 1.4.6 ]
File created: searched for 176 files, found 129, missing hashes 1

Set up Cronjob for Rkhunter

At this point, you can set up cronjob and Email alerts for Rootkit Hunter in Linux.

Here, you need to create a file named rkhunter.sh under the /etc/crondaily/ directory.

It will scan your file system every day and send an email notification to your email address. To do this, you can use your favorite text editor to create the file like vi editor or nano editor. Here we use vi text editor:

vi /etc/cron.daily/rkhunter.sh

Then, add the following lines to your file. Remember to replace the server name and email address with yours.

#!/bin/sh
(
/usr/local/bin/rkhunter --versioncheck
/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter --cronjob --report-warnings-only
) | /bin/mail -s 'rkhunter Daily Run (your-server-name)' olivia@orcacore.com

Now set the correct permissions to your file with the following command:

chmod 755 /etc/cron.daily/rkhunter.sh

Step 2 – Set Up Rootkit Hunter on Debian / Ubuntu

To install Rootkit Hunter on Debian / Ubuntu Linux distros follow these instructions.

First, you need to update the APT packages with the following command:

apt update

Then install Rootkit with the following command:

apt install rkhunter

Configure rkhunter on Debian / Ubuntu

Now you need to edit the Rootkit hunter config file. Run the command below to open the file, you can use your favorite editor:

vi /etc/rkhunter.conf

Be sure that the following lines are set to these:

UPDATE_MIRRORS=1 
MIRRORS_MODE=0
WEB_CMD="" 
ALLOW_SSH_PROT_V1=0

Here, you need to enable cronjobs. Run the following command to open the Rootkit default file:

vi /etc/default/rkhunter

Set the following lines to these:

CRON_DAILY_RUN="true" 
CRON_DB_UPDATE="true" 
APT_AUTOGEN="true"

You can check your configuration with:

rkhunter -C

To check that you have the latest Rootkit definitions, run the following command:

rkhunter --update

Then, check your version is up to date with:

rkhunter --versioncheck
Output
[ Rootkit Hunter version 1.4.6 ]
Checking rkhunter version...
This version : 1.4.6
Latest version: 1.4.6

Now run the command below to update the rkhunter data file of stored values with the current values:

rkhunter --propupd

Here, you can see how Rootkit Hunter works in Linux.

Step 3 – Use Rootkit Hunter in Linux Terminal

Run the following command to scan the entire file system:

rkhunter --check

When you run the Rootkit hunter command, in your output, you will see something similar to this:

...
 /usr/bin/dirname [ OK ]
/usr/bin/dmesg [ OK ]
/usr/bin/du [ OK ]
/usr/bin/echo [ OK ]
/usr/bin/ed [ OK ]
/usr/bin/egrep [ Warning ]
/usr/bin/env [ OK ]
/usr/bin/fgrep [ Warning ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
...
[Press <ENTER> to continue]
Checking for rootkits...
Performing check of known rootkit files and directories
55808 Trojan - Variant A [ Not found ]
ADM Worm [ Not found ]
AjaKit Rootkit [ Not found ]
Adore Rootkit [ Not found ]
aPa Kit [ Not found ]
Apache Worm [ Not found ]
Ambient (ark) Rootkit [ Not found ]
[Press <ENTER> to continue]
Performing additional rootkit checks
Suckit Rootkit additional checks [ OK ]
....
Performing malware checks
Checking running processes for suspicious files [ None found ]
Checking for login backdoors [ None found ]
Checking for sniffer log files [ None found ]
Checking for suspicious directories [ None found ]
...
Checking kernel module names [ OK ]
[Press <ENTER> to continue]
Checking the network...
Performing checks on the network ports
Checking for backdoor ports [ None found ]
...
Checking for an SSH configuration file [ Found ]
[Press <ENTER> to continue]

System checks summary
=====================
File properties checks...
Files checked: 129
Suspect files: 6

Rootkit checks...
Rootkits checked : 380
Possible rootkits: 0

Applications checks...
All checks skipped

The system checks took: 2 minutes and 21 seconds

All results have been written to the log file: /var/log/rkhunter.log

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

The above command generates a log file under /var/log/rkhunter.log with the check results made by Rootkit Hunter.

Run the following command to check the rkhunter log file:

cat /var/log/rkhunter.log
Output
....
[05:41:44] System checks summary
[05:41:44] =====================
[05:41:44]
[05:41:44] File properties checks...
[05:41:44] Files checked: 129
[05:41:44] Suspect files: 6
[05:41:44]
[05:41:44] Rootkit checks...
[05:41:44] Rootkits checked : 380
[05:41:44] Possible rootkits: 0
[05:41:44]
[05:41:44] Applications checks...
[05:41:44] All checks skipped
[05:41:44]
[05:41:44] The system checks took: 2 minutes and 21 seconds
[05:41:44]
[05:41:44] Info: End date is Wed Sep 8 05:41:44 EDT 2021

Also, for more information about Rootkit Hunter, you can use the following command:

rkhunter --help

Or, you can read the man page for rkhunter in Linux:

man rkhunter

Conclusion

At this point, you learn what is RKH, and also, you know How to install and configure Rootkit Hunter (rkhunter) in Linux Terminal.

As you see, you can use Rootkit on all Linux distros like AlmaLinux, Centos 7, Ubuntu 18.04, Debian 10, etc.

Hope you enjoy it.

You may like these articles:

Install and Configure LMD in Linux

Install and Use Chkrootkit on AlmaLinux 8

Newsletter Updates

Enter your email address below and subscribe to our newsletter

Leave a Reply

Stay informed and not overwhelmed, subscribe now!