Scanning for Rootkits with rkhunter and chkrootkit

By Admin · Feb 25, 2026 · Updated Apr 24, 2026 · 27 views · 1 min read

Why Scan?

Rootkits are malicious tools that hide their presence on a compromised system. Regular scanning helps detect compromises that may otherwise go unnoticed.

Install rkhunter

sudo apt install -y rkhunter

# Update database
sudo rkhunter --update
sudo rkhunter --propupd

# Run scan
sudo rkhunter --check --sk

Install chkrootkit

sudo apt install -y chkrootkit

# Run scan
sudo chkrootkit

Understanding Results

Both tools may report false positives. Common false positives:

/usr/bin/lwp-request — legitimate Perl module
Hidden directories in /dev — some are normal
Modified system binaries after updates

Automated Weekly Scans

# /etc/cron.weekly/rootkit-scan
#!/bin/bash
rkhunter --check --sk --report-warnings-only | mail -s "Rootkit Scan: $(hostname)" admin@example.com
chkrootkit | grep -v "not found\|not infected\|nothing found" | mail -s "chkrootkit: $(hostname)" admin@example.com

After a Detection

Isolate the server — block all traffic except your SSH
Investigate — check running processes, network connections, recent file changes
If confirmed — reimage the server from a clean backup
Change all credentials and keys