Table of Contents
rkhunter
(Rootkit Hunter) is a security tool used to detect rootkits on Linux and Unix-based systems. This tool examines system files, users, and other critical components to identify potentially harmful software and rootkits.
Key features of rkhunter
include:
- Rootkit Detection: Checks for potential rootkit indicators and scans for malicious software.
- System File Inspection: Scans system files for abnormal changes.
- Backdoor Checks: Examines potential backdoors that could provide unauthorized access to the system.
- Hidden File Inspection: Detects hidden files and malicious users on the system.
- Critical Security Settings Check: Verifies important security settings on the system.
Installing rkhunter
:
Here are basic commands to install rkhunter
:
Debian/Ubuntu-Based Distributions (Using apt Package Management):
sudo apt update
sudo apt install rkhunter
Red Hat/Fedora/CentOS-Based Distributions (Using yum or dnf Package Management):
sudo yum install rkhunter
or
sudo dnf install rkhunter
openSUSE-Based Distributions (Using zypper Package Management):
sudo zypper install rkhunter
After installation, you can scan the system with the command rkhunter --check
.
rkhunter
Cheat Sheet:
- Run Rootkit Scan:
sudo rkhunter --check
- Initiates a rootkit scan on the system.
- Update
rkhunter
Database:sudo rkhunter --update
- Updates the
rkhunter
database for the latest rootkit signatures.
- Updates the
- Display
rkhunter
Version:rkhunter --versioncheck
- Displays the version information of
rkhunter
.
- Displays the version information of
- Update File Properties Database:
sudo rkhunter --propupd
- Updates the file properties database used by
rkhunter
.
- Updates the file properties database used by
- Perform Extended Tests:
sudo rkhunter --check --sk
- Runs extended tests, including more thorough checks.
- Display Help and Options:
rkhunter --help
- Shows the help menu with available options.
- Run Quietly (Suppress Output):
sudo rkhunter --check --quiet
- Runs the scan quietly, suppressing normal output.
- Show Log File Entries:
sudo rkhunter --logfile /var/log/rkhunter.log --show-log
- Displays entries from the
rkhunter
log file.
- Displays entries from the
- Update Mirrors for Signature Updates:
sudo rkhunter --update --rwo
- Updates mirrors for signature updates.
- Custom Configuration File:
sudo rkhunter --configfile /path/to/custom.conf --check
- Specifies a custom configuration file for
rkhunter
checks.
- Specifies a custom configuration file for
These commands provide a quick reference for using rkhunter
to scan for rootkits on Linux and Unix-based systems. Customize the commands based on your specific requirements.