Rkhunter tutorial – Protect your PC

In an age where cybersecurity is a daily concern, you have to protect yourself. And that’s what we are going to do with Rkhunter.

Let’s remove rootkits, backdoors and other exploits from your PC.

Table of contents
Introduction
Installation
Running Rkhunter
Resources

Introduction: What is Rkhunter?

But first of all, let’s learn what Rkhunter is and what can it do for us.

Rkhunter is a tool that scans your computer for rootkits, backdoors, vulnerabilities, and local exploits. And, in case you don’t know:

  • A rootkit enables access to a computer. It stays at the root (hence the name, root and kit) and gives remote access and control to a malicious person. Nothing you want to do.
  • A backdoor can let a hacker bypass any security system. Firewalls, antivirus, etc mean nothing once a backdoor has been established.
  • A vulnerability is a flaw in a computer system that can be taken advantage of.
  • And, finally, exploits are pieces of software that can take advantage of existing bugs, errors or vulnerabilities in a system. From taking your bank data to stealing your passwords, and encrypting your data… anything is possible.

You don’t want this. And, to solve it, we are going to use Rkhunter, a great and easy-to-use tool.

Installation

To install Rkhunter, first update your Linux packages list, then install Rkhunter:

sudo apt-get update
sudo apt-get install rkhunter

Shortly, you will be prompted with this screen:

Rkhunter mail configuration

I picked Local only, but if you want to get emails from Rkhunter, select your preferred option and configure it.

After everything is installed, check that Rkhunter is properly installed:

rkhunter -V

As I’m running this code on October 2023, I got the following message:

Rootkit Hunter 1.4.6

You may have a newer version. But now, let’s configure it.

vim /etc/rkhunter.conf

And change the following lines:

107  UPDATE_MIRRORS=1
122  MIRRORS_MODE=0
1190 WEB_CMD=""

We set up the mirror options to let Rkhunter update. Let’s update it now:

sudo rkhunter --update
sudo rkhunter --propupd

Everything should be set up now, as we have updated everything. Time for the fun stuff.

Running Rkhunter

To run Rkhunter, simply run:

sudo rkhunter --check

First, it will check general, shareable files in the /usr/ directory. After that, it will check for known rootkits (remember to update before running Rkhunter!), then, additional rootkit checks, malware checks, Linux-specific checks, your network and local host, etc.

At the end, you’ll be prompted with a summary:

Rkhunter summary

Luckily, you won’t have any warning, but I do. I’m going to run again the check with a special flag:

sudo rkhunter --check --rwo

This will run Rkhunter silently, only displaying any warning messages, in case it finds one or more of them.

Rkhunter scan for warnings

Compared to the previous command, this one is way less verbose.

The only warnings I have are the ones regarding lwp-request, a false positive that gets flagged because it allows making HTTP requests, and an SSH misconfiguration. But nothing major.

P.S. If you don’t want to get a warning every time on safe files you run Rkhunter, you can add this to your /etc/rkhunter.conf file:

SCRIPTWHITELIST=/usr/bin/lwp-request

Keep running Rkhunter from time to time to keep your computer safe and rootkit free 🙂

Resources

Rkhunter docs

What is a rootkit?

Vulnerabilities