Rootkit Hunter - Security Monitoring and Analyzing Tool

Rootkit Hunter - Security Monitoring and Analyzing Tool

Rootkit Hunter (RKH) is an easy-to-use tool which checks computers running UNIX (clones) for the presence of rootkits and other unwanted tools.


  • Before RKH starts it will check that certain required commands are present on the system. These are typical commands such as 'cat', 'sed', 'head', 'tail', etc. If a command is missing then RKH will not run.
  • Some tests require commands such as stat, readlink, sha256 or sha256sum. If these are not present, then RKH has perl scripts which will automatically be used instead. However, this requires perl, and certain modules, being present. If they are not, then the tests will be skipped. Readlink is provided as a script itself, and does not use perl. Other tests will use other commands. If the relevant command is not found on the system, then the test will be skipped.
  • A tool should be present with which to download file updates. Currently wget, curl, (e)links, lynx and GET are supported. If your system does not allow the possibility to install one of these applications, but does run perl, you can use 'bget' available from If you use another generic method of updating RKH then please let us know. Additionally, a non-standard command to be used for file downloads can be configured in the RKH configuration file.
  • Some tests require single-purpose tools. RKH does not depend on these, but it will use them if it finds them. They can enhance RKH's detection capabilities. The tools are:
    If the relevant tool is not found, then the test is skipped.


    Unpacking the tar file should produce a single directory called 'rkhunter-<version>'. Where '<version>' is the version number of rkhunter being installed. For example, the rkhunter-1.4.0.tar.gz tar file will produce the 'rkhunter-1.4.0' directory when unpacked. Within this directory is the installation script called ''.

    To perform a default installation of RKH simply unpack the tarball and, as root, run the installation script:
    tar zxf rkhunter-<version>.tar.gz
    cd rkhunter-<version>
    ./ --install
    Note: If some form of file permission error is shown, then check that the '' script is executable.

    RKH installation supports custom layouts. To show some examples run:
    ./ --examples
    The installer also has a help option:
    ./ --help
    The default installation process will install a configuration file, called 'rkhunter.conf', into the '/etc' directory or where you chose using the '--layout' switch. You can either edit the main configuration file itself, or create a 'local' configuration file for your own settings. This file, which must be called 'rkhunter.conf.local', must reside in the same directory as the main configuration file. Alternatively, or in addition if wished, you can create a directory, named 'rkhunter.d', in the same directory as the main configuration file. Within 'rkhunter.d' you can then create further configuration files. The only restriction is that the file names end in '.conf'.

    The main RKH script will be installed into the '/usr/local/bin' directory or where you chose using the '--layout' switch. Man pages will be installed into '/usr/local/share/man', and other documentation will be installed into the '/usr/local/share/doc' directory. RKH data files, language support, and a directory for temporary files will be installed into '/var/lib/rkhunter'. Finally, RKH support scripts will be installed into '/usr/local/lib/rkhunter/scripts', or, if using an x86_64 system, into '/usr/local/lib64/rkhunter/scripts'. All directories, except 'lib64', will be created where necessary.

    Before running RKH you will need to fill the file properties database by running the following command:
    rkhunter --propupd
    Note that if you want to use the package management tools provided by your distribution you will need to select a package manager. In the case of using RPM your command would be:
    rkhunter --propupd --pkgmgr RPM
    To run RKH, as root, simply enter the following command:
    rkhunter --check
    By default, the log file '/var/log/rkhunter.log' will be created. It will contain the results of the checks made by RKH.
    To see what other options can be used with rkhunter, enter:
    rkhunter --help
    or see the 'rkhunter' man page.

    NOTE: The first run of 'rkhunter' after installation may give some warning messages.

    Rootkit Hunter is a host-based, passive, post-incident, path-based tool.
    • Host-based means it only diagnoses the host you run it on.
    • Passive means it has to be scheduled or run manually.
    • Post-incident means it can only be effective when a breach of security is suspected, is in progress or has already occurred. Due to the nature of software that hides processes and files it may be beneficial to run Rootkit Hunter from a bootable medium if a breach of security is suspected and the machine can be booted from a bootable medium.
    • Path-based means RKH will check for filenames. It does not include or use heuristics or signatures like for instance an antivirus product could. Do understand that the SCANROOTKITMODE configuration option and "suspscan" functionality are just crude attempts to try and bridge that gap.

    Rootkit Hunter is best deployed as part of your security strategy.
    • Most breaches of security are preceded by reconnaissance. Regular system and log file auditing provides the necessary "early warning" capabilities.
    • RKH does not replace, or absolve you from performing, proper host hardening. Common administration errors that may result in a breach of security includes failing to apply updates when they are released, misconfiguration, lack of access restrictions and lack of auditing. Please see your distribution documentation and search the 'net.
    • Do not rely on one tool or one class of tools. Consider installing same-class tools like Chkrootkit or OSSEC-HIDS and consider overlap as a Good Thing. Additionally it is suggested you install and use a separate filesystem integrity scanner like Samhain, Aide, Integrit, Osiris (or even tripwire) to provide you with a second opinion.
    • Like with all data used for verifying integrity it is recommended to regularly save a copy of your RKH data files off-site.

    No comments

    Powered by Blogger.