Docs / Security / How to Scan for Rootkits with rkhunter and chkrootkit

How to Scan for Rootkits with rkhunter and chkrootkit

By Admin · Mar 2, 2026 · Updated Apr 23, 2026 · 27 views · 3 min read

How to Scan for Rootkits with rkhunter and chkrootkit

Rootkits are stealthy malware that hide deep within the operating system to maintain persistent unauthorized access. Running regular rootkit scans on your Breeze instance using rkhunter and chkrootkit helps detect compromised binaries, suspicious files, and hidden processes before they cause damage.

Installing rkhunter

On Ubuntu or Debian:

sudo apt update
sudo apt install -y rkhunter

On AlmaLinux or Rocky Linux:

sudo dnf install -y epel-release
sudo dnf install -y rkhunter

Updating rkhunter

Before scanning, update the database and properties:

sudo rkhunter --update
sudo rkhunter --propupd

The --propupd command creates a baseline of known-good file properties that future scans compare against.

Running a Full rkhunter Scan

sudo rkhunter --check --skip-keypress
sudo cat /var/log/rkhunter.log | grep Warning

The scan checks for known rootkits, suspicious file permissions, hidden files, suspicious strings in binaries, and network port usage.

Configuring rkhunter

Edit /etc/rkhunter.conf to customize the scan behavior:

# Enable automatic updates
UPDATE_MIRRORS=1
MIRRORS_MODE=0
WEB_CMD=""

# Whitelist known safe scripts (adjust as needed)
SCRIPTWHITELIST=/usr/bin/lwp-request
SCRIPTWHITELIST=/usr/bin/ldd

# Allow SSH root login if intentional
ALLOW_SSH_ROOT_USER=without-password

# Suppress false positive warnings
ALLOWHIDDENDIR=/dev/.udev
ALLOWDEVFILE=/dev/.udev/rules.d/root.rules

Installing chkrootkit

On Ubuntu or Debian:

sudo apt install -y chkrootkit

On AlmaLinux or Rocky Linux, build from source:

sudo dnf install -y gcc make wget
wget ftp://ftp.chkrootkit.org/pub/seg/pac/chkrootkit.tar.gz
tar -xzf chkrootkit.tar.gz
cd chkrootkit-*
make sense
sudo cp chkrootkit /usr/local/bin/

Running a chkrootkit Scan

sudo chkrootkit

chkrootkit checks for signs of over 70 known rootkits, including LKM trojans, worm infections, and suspicious network interfaces in promiscuous mode.

Automating Scans with Cron

Schedule daily scans and email the results:

# Edit crontab
sudo crontab -e

# Add daily rkhunter scan at 3 AM
0 3 * * * /usr/bin/rkhunter --check --skip-keypress --report-warnings-only | mail -s "rkhunter Daily Scan" admin@yourdomain.com

# Add daily chkrootkit scan at 4 AM
0 4 * * * /usr/local/bin/chkrootkit | mail -s "chkrootkit Daily Scan" admin@yourdomain.com

Interpreting Results

Common findings and how to handle them:

  • "Warning: Hidden directory found" — investigate with ls -la; whitelist if it is a legitimate system directory
  • "Possible rootkit: Suspicious file" — verify with rpm -V or debsums to confirm file integrity
  • "Checking for promiscuous interfaces" — a NIC in promiscuous mode may indicate packet sniffing
  • "Application version checks" — outdated software flagged as vulnerable; update promptly

Best Practices

  • Run both tools — rkhunter and chkrootkit use different detection methods, providing complementary coverage
  • Baseline clean systems — run rkhunter --propupd immediately after a fresh Breeze deployment
  • Review warnings carefully — false positives are common; investigate each finding before panicking
  • Update signatures regularly — keep both tools updated to detect newly discovered rootkits
  • Combine with file integrity monitoring — use AIDE or OSSEC alongside rootkit scanners for defense in depth

Regular rootkit scanning is an essential part of maintaining a secure Breeze instance, catching compromises that other security tools may miss.

Was this article helpful?

Related Articles