![[EN] Installing rkhunter on Linux Systems and Performing Rootkit Scans](https://kadirkozan.com/wp-content/uploads/2026/03/27ce25e0-1b0e-475e-9233-d088f6756076-1024x683.png)
Linux systems are widely known for their stability, flexibility, and strong security architecture. However, no system is completely immune to threats. Among the most dangerous of these threats are rootkits, which are designed to hide malicious activity, maintain unauthorized access, and allow attackers to remain undetected on a compromised system. Because rootkits often operate silently and at a low level, they can be difficult to detect with standard security checks alone.
For this reason, system administrators should not rely solely on preventive measures. Regular security auditing and integrity checks are also essential. One of the most practical tools available for this purpose is rkhunter. In this article, we will explain what rkhunter is, how to install it on Linux systems, how to use it for rootkit scanning, and how to interpret the results in a professional and practical way.
Linux Security and the Rootkit Threat
Linux is generally considered a secure operating system, especially when properly configured and regularly updated. Still, threats can emerge through outdated software, exposed services, weak credentials, or misconfigurations. Once an attacker gains access to a system, one of their primary goals is often to remain persistent while avoiding detection. This is where rootkits become especially dangerous.
A rootkit is a type of malicious software or toolkit that enables an attacker to hide files, processes, network connections, and other unauthorized activity on a system. Some rootkits run in user space, while more advanced variants operate at the kernel level, making them much harder to detect and remove. In many cases, they are used alongside backdoors, credential theft tools, or privilege escalation techniques.
Because of this, it is critical to have tools that can inspect system binaries, permissions, hidden files, suspicious behavior, and known malicious signatures. rkhunter is designed to help identify exactly these kinds of indicators.
What Is rkhunter?
rkhunter, short for Rootkit Hunter, is an open-source security scanning tool for Linux and Unix-like systems. It is used to detect rootkits, backdoors, local exploits, suspicious file changes, and other security anomalies that could indicate compromise.
Rather than acting as a malware removal tool, rkhunter focuses on detection and reporting. It performs a series of checks on the operating system, looking for known signatures, altered system commands, hidden files, insecure configurations, and suspicious processes or network listeners.
Its main purpose is to give administrators visibility into the security state of the system and highlight anything that may require further investigation.
Why Use rkhunter?
In many Linux environments, especially servers exposed to the internet, unauthorized changes can go unnoticed for long periods. Attackers may modify system utilities, install hidden binaries, create persistence mechanisms, or tamper with logs. rkhunter helps identify these issues by providing an additional layer of verification.
Using rkhunter is beneficial because it can:
- Check for known rootkit signatures
- Detect modified or suspicious system binaries
- Identify hidden files and directories
- Review configuration inconsistencies
- Report suspicious network listeners and system behavior
- Support regular security auditing in production systems
Although it should not be treated as a complete security solution on its own, it is a valuable part of a layered Linux security strategy.
Installing rkhunter on Debian/Ubuntu-Based Systems
Installing rkhunter on Debian and Ubuntu-based systems is straightforward. It is available in the default package repositories and can be installed with a few simple commands.
Update the Package List
Before installing any package, it is good practice to refresh the system’s package index.
sudo apt updateThis ensures that the latest package metadata is retrieved from the configured repositories.
Install rkhunter
Once the package list is up to date, install rkhunter using the following command.
sudo apt install rkhunter -yThe -y option automatically confirms the installation prompt, which is useful for unattended or scripted setups.
Update the rkhunter Database
After installation, the next important step is to update rkhunter’s data files.
sudo rkhunter --updateThis command updates the tool’s signature and data files so it can scan the system using the most recent information available.
How to Perform a System Scan with rkhunter
Once installed and updated, rkhunter can be used to scan the system for signs of compromise.
Basic Scan
The most common and basic scan is performed with.
sudo rkhunter --checkThis command runs the default set of checks and may prompt the user during certain stages of the scan.
Fully Automated Scan
For a non-interactive scan, which is especially useful on remote servers or in automated tasks, use:
sudo rkhunter --check --skThe --sk option skips keypress prompts, allowing the scan to complete without requiring manual input.
Extended Scan with Explicit Options
If you want a more controlled and explicit scan, you can use:
sudo rkhunter --check --system-language en --skip-keypress --enable all --disable noneThis command performs a full scan while forcing English output, skipping prompts, enabling all checks, and disabling none of them. It is useful in environments where standardized output is preferred for reporting or documentation purposes.
Understanding rkhunter Scan Results
At the end of the scan, rkhunter displays the findings directly in the terminal. A typical output might look like this.
[Rootkit Hunter version 1.4.6]
Checking system for rootkits...
Possible rootkit installed: Possible Linux/Ebury - Based SSH TrojanResults like these should be taken seriously, but not interpreted blindly. rkhunter can sometimes produce false positives especially on customized systems or after legitimate software updates. That is why every warning should be reviewed in context.
Common Warnings and What They Mean
Possible rootkit installed
This warning indicates that the tool found behavior or a signature associated with a known rootkit. It does not automatically confirm an active infection, but it does require further investigation.
Application ‘ps’ has been modified
System utilities such as ps, ls, netstat, or top are common targets for attackers who want to hide processes or connections. If rkhunter reports that one of these tools has been modified, the binary should be verified immediately. However, legitimate package updates can also trigger this warning.
Hidden file found
Linux systems naturally use hidden files for configuration purposes, so this warning is not always a sign of compromise. Still, hidden files or directories in unusual locations should always be examined carefully.
Suggested action
rkhunter often provides a recommended action beneath a warning. These suggestions are helpful starting points, but they should be supported by manual validation and additional analysis.
Viewing rkhunter Logs
In addition to printing results on screen, rkhunter saves scan information in a log file. This file can be reviewed using.
cat /var/log/rkhunter/rkhunter.logThe log file is useful for:
- Reviewing previous scan results
- Comparing findings over time
- Investigating suspicious system behavior
- Supporting incident response documentation
In production environments, these logs can also be forwarded to a centralized logging or SIEM platform for better visibility and correlation.
What to Do After a Detection
If rkhunter reports a suspicious finding, the correct approach is to investigate methodically rather than panic. The following steps are recommended.
Validate the Finding
The first priority is to determine whether the alert is genuine or a false positive. This may involve:
- Checking the file hash
- Verifying package ownership and integrity
- Reviewing file permissions and timestamps
- Inspecting active processes
- Comparing the binary against trusted sources
Patch and Update the System
Outdated software is one of the most common causes of compromise. Make sure the system is fully updated.
sudo apt update && sudo apt upgrade -yUpdating the system helps close known vulnerabilities and may also eliminate warnings caused by inconsistent or outdated packages.
Review Running Services
Unnecessary or exposed services increase the attack surface of the server. Review which services are enabled and stop any that are no longer required.
Use Another Tool for Cross-Verification
Security analysis is always stronger when findings are validated with another tool. A common companion to rkhunter is chkrootkit.
Performing an Additional Scan with chkrootkit
Another well-known tool for checking Linux systems for rootkits is chkrootkit. While it works differently from rkhunter, it serves a similar purpose and can be used as a second opinion.
Install chkrootkit
sudo apt install chkrootkit -yRun the Scan
sudo chkrootkitUsing both rkhunter and chkrootkit together can provide broader visibility and improve confidence in the results.
Reviewing Logs and Network Activity
If there is any suspicion of compromise, checking only rkhunter output is not enough. System logs and network activity should also be examined.
Check System Logs
journalctl -xeThis command helps identify service failures, suspicious login attempts, authentication issues, and unusual system behavior.
Check Listening Ports and Active Connections
ss -tulnpThis command shows open ports, listening services, and associated processes. It is especially useful for spotting unauthorized services, suspicious listeners, or unexpected outbound connections.
Important Considerations When Using rkhunter
Although rkhunter is a useful security tool, it is important to understand its limitations.
- Not every warning indicates a real compromise
- Package updates may trigger integrity-related alerts
- Customized or hardened systems may generate expected anomalies
- Deeply compromised systems may attempt to evade detection
Because of this, rkhunter should be treated as a detection aid, not as the sole source of truth. Its results should always be interpreted alongside logs, package verification, system behavior, and other security tools.
What If a Serious Threat Is Confirmed?
If your investigation strongly suggests that the system has been compromised by a rootkit or another advanced threat, the safest course of action is usually not to clean the system in place. Instead, consider the following:
- Isolate the server from the network
- Preserve logs and disk images for forensic analysis
- Restore from a known clean backup
- Rebuild the system from scratch if necessary
- Reset credentials and rotate keys
- Review other systems on the same network for lateral movement
In cases where root-level compromise is suspected, complete trust in the system is often no longer possible. A rebuild is frequently the most secure option.
rkhunter is a practical and lightweight security tool that helps Linux administrators detect possible rootkits, backdoors, modified binaries, hidden files, and other indicators of compromise. It is easy to install, simple to use, and highly valuable as part of routine system auditing.
That said, rkhunter is not a complete defense solution on its own. The best results come from combining it with good patch management, log monitoring, network inspection, service hardening, and additional tools such as chkrootkit.
Linux security is never based on a single layer. It depends on continuous visibility, proactive maintenance, and regular validation. In that broader security model, rkhunter remains a useful and reliable tool for identifying issues that might otherwise go unnoticed.
![[TR]Linux Sistemlerde rkhunter Kurulumu ve Rootkit Taraması](https://kadirkozan.com/wp-content/uploads/2026/03/27ce25e0-1b0e-475e-9233-d088f6756076-150x150.png)