Detecting rootkits and security holes with rkhunter on Ubuntu

Rootkits

rkhunter

security

Reviewed on June 02, 2025

The Rootkit Hunter (rkhunter) project provides an open-source tool to scan Unix installations for rootkits, backdoors and possible local exploits. To achieve this, the tool compares SHA-1 hashes of important files with known good ones in online databases, looking for default directories (of rootkits), wrong permissions, hidden files, and suspicious strings in kernel modules, and by running special tests on the computer.

Before you start

To complete the actions presented below, you must have:

A Scaleway account logged into the console
Owner status or IAM permissions allowing you to perform actions in the intended Organization
An SSH key
An Instance
sudo privileges or access to the root user

Installing rkhunter

Connect to your Instance via SSH.
Update the apt sources and the already installed software on the Instance:
```
apt update && apt upgrade -y
```
Install rkhunter:
```
apt install rkhunter -y
```
Open the configuration file /etc/rkhunter.conf in a text editor. Ubuntu modified some of the default configuration options. Edit the file and make sure the following settings are in place:
```
UPDATE_MIRRORS=1
MIRRORS_MODE=0
WEB_CMD=""
```
Open the file /etc/default/rkhunter and edit it as follows to enable scanning and updating by cron:
```
CRON_DAILY_RUN="true"
CRON_DB_UPDATE=true"
APT_AUTOGEN="true"
```
Check that the latest version of rkhunter is installed on your system:
```
rkhunter --versioncheck
```
Download the latest rootkit definitions and file signatures:
```
rkhunter --update
```
To run checks against sensitive binaries or programs, update the file properties. These are retrieved from the repositories to minimize the risk of compromising the reference check:
```
rkhunter --propupd
```

Running rkhunter

Start Rkhunter with the following command:

rkhunter --check

You will see an output similar to the following:

[ Rootkit Hunter version 1.4.6 ]

Checking system commands...

  Performing 'strings' command checks
    Checking 'strings' command                               [ OK ]

  Performing 'shared libraries' checks
    Checking for preloading variables                        [ None found ]
    Checking for preloaded libraries                         [ None found ]
    Checking LD_LIBRARY_PATH variable                        [ Not found ]

  Performing file properties checks
    Checking for prerequisites                               [ OK ]
    /usr/sbin/adduser                                        [ OK ]
    /usr/sbin/chroot                                         [ OK ]
    /usr/sbin/cron                                           [ OK ]
    [...]
    [Press <ENTER> to continue]

After each group of checks, the tool shows a summary of the task performed. To run the test without these breaks, use the -sk option when launching the tool.

You can see a detailed log of the actions performed by rkhunter in the tool's log file: /var/log/rkhunter.log. For more information about the rkhunter configuration refer to the official documentation.

Questions?

Visit our Help Center and find the answers to your most frequent questions.

Visit Help Center