Security

Search for rootkits with Rootkit Hunter on Linux systems

Learn to use Rootkit Hunter to detect malware on your Linux system.

Delivered each Tuesday, TechRepublic's free Linux NetNote provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!

Until fairly recently, the tool to use for detecting malware on Linux systems was the chkrootkit tool. However, a newer tool with several more available tests and a friendlier interface is now available: Rootkit Hunter (rkhunter).

This tool is available for download from the rootkit Web site. Installation is extremely straight-forward; rkhunter only consists of Perl and shell scripts. After you've downloaded and unpacked the latest version, simply run the installer.sh script to install the program.

In its most basic form, rkhunter scans your system for any signs of malware. In addition, it performs other scans on your system, such as checking for differences between a cached copy of the passwd and group files, checking the sshd_config file to see if root logins are permissible, and so forth.

Every version adds checks for new malware, so keeping up with rkhunter releases is important. Be sure to regularly check the rootkit Web site.

To perform an interactive report, run rkhunter as shown below:

# rkhunter -c

This displays each test that rkhunter performs, pausing occasionally for you to press [Enter]. This ensures that you can see the entire report without scrolling back too far.

You can also perform a simple summary report that allows for viewing the results of rkhunter's work. Here's an example:

# rkhunter -c —report-mode

If you're only interested in the summary, you can place this code in a cron job. If you prefer to have a full report, execute the following:

# rkhunter -c —cronjob

This prevents the display of colors, which may cause the e-mails sent via cron to look a little off. All in all, rkhunter is easy to use and a definite must for anyone running Linux.

About

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

Editor's Picks