RKHunter also known as RootKit Hunter is a scanning tool to ensure you for about 99.9% that you don’t have any rootkits, backdoors, and local exploits but running tests and e-mailing you results.
How To Install RKHunter
RKHunter – (RootKit Hunter) Is a security scanning tool which will scan for rootkits, backdoors, and local exploits.
RKHunter will ensure you about 99.9% that your dedicated web server is secure.
1. Login to your server via SSH as root.
Then Type: cd /usr/local/src/
2. Download RKHunter Version 1.1.4
Type: wget http://optusnet.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.3.0.tar.gz
3. Extract files
Type: tar -xzvf
4. Type: cdrkhunter-1.3.0.tar.gz
5. Type: ./installer.sh –help
The default should do
./installer.sh –layout /usr/local –install
6. Lets setup RKHunter to e-mail you you daily scan reports.
Type: pico -w /etc/cron.daily/rkhunter.sh
Add The Following:
(/usr/local/bin/rkhunter -c –cronjob 2>&1 | mail -s “RKhunter Scan Details” email@example.com )
Replace the e-mail above with your e-mail!! It is best to send the e-mail to an e-mail off-site so that if the box IS compromised the hacker can’t erase the scan report unless he hacks another server too.
Type: chmod +x /etc/cron.daily/rkhunter.sh
Rootkit Hunter usage
Rootkit Hunter is a package which contains a few binary scripts
(shell / perl) and a few databases.
You can use Rootkit Hunter by running
‘rkhunter’ with one or more parameters (when using no parameters at all, you’ll
get the usage screen).
Check the system, performs all
Create a logfile (default
Run as cronjob (removes
–help (or -h)
Show help about
Don’t use colors for output (some terminals
don’t like colors or extended layout
Don’t show uninteresting information
for reports, like header/footer. Interesting when scanning from crontab or with
usage of other applications.
Don’t wait after
every test (makes it non-interactive)
scan (instead of full scan). Skips some tests and performs some enhanced tests
(less suitable for normal scans).
Show version and
Check for latest version
RKHunter let me know there was something wrong with my dedicated server, What do I do?
1. If your system is infected with an rootkit, it’s almost impossible to clean it up (lets say with a full warranty it’s clean). Never trust a machine which has been infected with a rootkit, because hiding is the root kit’s main purpose.
(So a fresh installation of the operating system is NEEDED)
2. If only one check fails it is possible that you have a “false positive”.
This sometimes occurs due to custom configurations or changed binaries. If this happens you can validate the ‘false positive’ by checking for untrusted paths, knowing if oyu recently updated the binary, and rkhunter just is out of date, and you can also compare your binaries with other trusted binaries to ensure they are in fact ‘safe’ from a root kit.
RKHunter Faq Can Be Found Here www.rootkit.nl