rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in online database, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules, and special tests for Linux and FreeBSD. As rootkits are installed into system files they cannot be removed easily however,it will still notify you of any rootkits that may exist in your system so that you can take the necessary steps to reload on any of your hosting server. One of the best features of RKHunter is that for the end-user it is possible to configure it on a daily basis, The reason experts recommend RKH is because it ensures that the rootkits are not affecting your server.
Unpacking the tar file should produce a single directory called
‘rkhunter-<version>’. Where ‘<version>’ is the version number of rkhunter
being installed. For example, the rkhunter-1.3.6.tar.gz tar file will produce
the ‘rkhunter-1.3.6’ directory when unpacked. Within this directory is the
installation script called ‘installer.sh’.
To perform a default installation of RKH simply unpack the tarball and,
as root, run the installation script:
==
1 >> tar zxf rkhunter-<version>.tar.gz
2 >> cd rkhunter-<version>
3 >> ./installer.sh –install
==
Note: If some form of file permission error is shown, then check that the
‘installer.sh’ script is executable.
——-
To run RKH, as root, simply enter the following command:
rkhunter –check
——-
By default, the log file ‘/var/log/rkhunter.log’ will be created. It
will contain the results of the checks made by RKH.
To see what other options can be used with rkhunter, enter:
rkhunter –help