In an age where cybersecurity is a daily concern, you have to protect yourself. And that’s what we are going to do with Rkhunter.
Let’s remove rootkits, backdoors and other exploits from your PC.
| Table of contents |
| Introduction |
| Installation |
| Running Rkhunter |
| Resources |
Introduction: What is Rkhunter?
But first of all, let’s learn what Rkhunter is and what can it do for us.
Rkhunter is a tool that scans your computer for rootkits, backdoors, vulnerabilities, and local exploits. And, in case you don’t know:
- A rootkit enables access to a computer. It stays at the root (hence the name, root and kit) and gives remote access and control to a malicious person. Nothing you want to do.
- A backdoor can let a hacker bypass any security system. Firewalls, antivirus, etc mean nothing once a backdoor has been established.
- A vulnerability is a flaw in a computer system that can be taken advantage of.
- And, finally, exploits are pieces of software that can take advantage of existing bugs, errors or vulnerabilities in a system. From taking your bank data to stealing your passwords, and encrypting your data… anything is possible.
You don’t want this. And, to solve it, we are going to use Rkhunter, a great and easy-to-use tool.
Installation
To install Rkhunter, first update your Linux packages list, then install Rkhunter:
sudo apt-get update sudo apt-get install rkhunter
Shortly, you will be prompted with this screen:
I picked Local only, but if you want to get emails from Rkhunter, select your preferred option and configure it.
After everything is installed, check that Rkhunter is properly installed:
rkhunter -V
As I’m running this code on October 2023, I got the following message:
Rootkit Hunter 1.4.6
You may have a newer version. But now, let’s configure it.
vim /etc/rkhunter.conf
And change the following lines:
107 UPDATE_MIRRORS=1 122 MIRRORS_MODE=0 1190 WEB_CMD=""
We set up the mirror options to let Rkhunter update. Let’s update it now:
sudo rkhunter --update sudo rkhunter --propupd
Everything should be set up now, as we have updated everything. Time for the fun stuff.
Running Rkhunter
To run Rkhunter, simply run:
sudo rkhunter --check
First, it will check general, shareable files in the /usr/ directory. After that, it will check for known rootkits (remember to update before running Rkhunter!), then, additional rootkit checks, malware checks, Linux-specific checks, your network and local host, etc.
At the end, you’ll be prompted with a summary:
Luckily, you won’t have any warning, but I do. I’m going to run again the check with a special flag:
sudo rkhunter --check --rwo
This will run Rkhunter silently, only displaying any warning messages, in case it finds one or more of them.
Compared to the previous command, this one is way less verbose.
The only warnings I have are the ones regarding lwp-request, a false positive that gets flagged because it allows making HTTP requests, and an SSH misconfiguration. But nothing major.
P.S. If you don’t want to get a warning every time on safe files you run Rkhunter, you can add this to your /etc/rkhunter.conf file:
SCRIPTWHITELIST=/usr/bin/lwp-request
Keep running Rkhunter from time to time to keep your computer safe and rootkit free 🙂
