Scanning for rootkits with Rootkit Hunter

by magian

The Internet can be a wild and dangerous place. We, as Linux users, are generally spared the worst of the viral and malware infestations, but there are times when overconfidence can lead to a false sense of security. Linux is still susceptible to having a rootkit installed.

What is a rootkit you ask?

"A rootkit is a set of software tools intended to conceal running processes, files or system data, thereby helping an intruder to maintain access to a system whilst avoiding detection. Rootkits are known to exist for a variety of operating systems such as Linux, Solaris and x86 versions of Microsoft Windows. Rootkits often modify parts of the operating system or install themselves as drivers or kernel modules."

excerpt from

Luckily for us there is a great tool for scanning your system for these nefarious invaders. It's called Rootkit Hunter and was created by developer Michael Boelen. Some of the more salient features of Rootkit Hunter are as follows:

  • MD5 hash compare
  • Look for default files used by rootkits
  • Wrong file permissions for binaries
  • Looks for suspected strings in LKM and KLD modules
  • Looks for hidden files
  • Optional scan within plaintext and binary files
  • Rootkit Hunter is released as GPL licensed project and free for everyone to use

I will now show you how to install Rootkit Hunter from the PCLOS repositories, update it, and run a complete check of your system. These actions need to be done as a superuser.

apt-get will locate and install Rootkit Hunter like so: apt-get install rkhunter.

Next we update the program with rkhunter --update.

Rootkit Hunter will download and install all the current signatures.

Next we run a complete scan with rkhunter --checkall.

Rootkit Hunter will perform a whole battery of tests on your system and give you information about its progress along the way. Once it is complete, you will be presented a summary of scan results like this:

You can run rkhunter with no arguments to see a complete list of options. Rootkit Hunter can be included in shell scripts and can be ran as a cronjob. Now you have one more reason to feel safer and superior to your poor Microsoft Windows-running brethren.

Rootkit Hunter -