There is a new version of this tutorial available for Linux.

How do I scan my Linux system for rootkits, worms, trojans, etc.?

This tutorial exists for these OS versions

On this page

  1. chkrootkit
  2. rkhunter

Either with chkrootkit or with rkhunter.

chkrootkit

Either install the package that comes with your distribution (on Debian you would run

apt-get install chkrootkit

), or download the sources from www.chkrootkit.org and install manually:

wget --passive-ftp ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar xvfz chkrootkit.tar.gz
cd chkrootkit-<version>/
make sense

Afterwards, you can move the chkrootkit directory somewhere else, e.g. /usr/local/chkrootkit:

cd ..
mv chkrootkit-<version>/ /usr/local/chkrootkit

Now you can run chkrootkit manually:

cd /usr/local/chkrootkit
./chkrootkit

(if you installed a chkrootkit package coming with your distribution, your chkrootkit might be somewhere else).

You can even run chkrootkit by a cron job and get the results emailed to you:

Run

crontab -e

to create a cron job like this:

0 3 * * * (cd /usr/local/chkrootkit-<version>; ./chkrootkit 2>&1 | mail -s "chkrootkit output my server" [email protected])

That would run chkrootkit every night a 3.00h.

rkhunter

Download the latest rkhunter sources from www.rootkit.nl:

wget http://downloads.rootkit.nl/rkhunter-1.2.7.tar.gz
tar xvfz rkhunter-1.2.7.tar.gz
cd rkhunter/
./installer.sh

This will install rkhunter to the directory /usr/local/rkhunter. Now run

rkhunter --update

to download the latest chkrootkit/trojan/worm signatures (you should do this regularly).

Now you can scan your system for malware by running

rkhunter -c

Falko Timme

About Falko Timme

Falko Timme is an experienced Linux administrator and founder of Timme Hosting, a leading nginx business hosting company in Germany. He is one of the most active authors on HowtoForge since 2005 and one of the core developers of ISPConfig since 2000. He has also contributed to the O'Reilly book "Linux System Administration".

Share this page:

Suggested articles

3 Comment(s)

Add comment

Comments

By: nop

rkhunter --check --enable all --disable none

By: John

*** WARNING ****

This does not look safe... I do not recommend insecure connection...

Resolving rootkit.nl... 149.210.134.182Connecting to rootkit.nl|149.210.134.182|:443... connected.ERROR: certificate common name `cisofy.com' doesn't match requested host name `rootkit.nl'.To connect to rootkit.nl insecurely, use `--no-check-certificate'.

By: till

Seems as if the author of rkhunter renamed his tool to Lynis and placed it on the domain cisofy.com.

https://cisofy.com/files/lynis-2.1.1.tar.gz