Three Tools to Scan a Linux Server for Viruses, Malware and Rootkits

Servers connected to the Internet are exposed to a constant stream of attacks and scans throughout the day. While a firewall and regular system updates are a good first defense to keep the system safe, you should also regularly check that no attacker has infiltrated. The tools described in this tutorial are made for these tests, scanning for malware, viruses and rootkits. They should be run regularly, for example every night, and send you reports via email. You can also use Chkrootkit, Rkhunter and ISPProtect to scan a system when you notice suspicious activity, such as high load, suspicious processes or when the server suddenly starts sending malware.

All these scanners must be run as root users. Log in as root before running them. On Ubuntu, use:

sudo -s

to become the root user.

chkrootkit - Linux Rootkit Scanner

Chkrootkit is a classic rootkit scanner. It checks your server for suspicious rootkit processes and checks for a list of known rootkit files.

Either install the package that comes with your distribution (on Debian and Ubuntu you would run

apt-get install chkrootkit

CHKrootkit installation

), or download the sources from and install manually:

wget --passive-ftp
tar xvfz chkrootkit.tar.gz
cd chkrootkit-*/
make sense

Build CHKRootkit from source

Afterward, you can move the chkrootkit directory somewhere else, e.g. to /usr/local/chkrootkit:

cd ..
mv chkrootkit-<version>/ /usr/local/chkrootkit

and create a symlink for easy access:

ln -s /usr/local/chkrootkit/chkrootkit /usr/local/bin/chkrootkit

To check your server with chkrootkit, run the command:


A common false positive report is:

Checking `bindshell'...                                     INFECTED (PORTS:  465)

Don't worry when you get this message on an email server, this is the SMTPS (Secure SMTP) port of your mail system and a well known false positive.

You can even run chkrootkit by a cron job and get the results emailed to you. First, find out the path where chkrootkit is installed on your server with:

which chkrootkit


[email protected]:/tmp/chkrootkit-0.52# which chkrootkit

Chkrootkit is installed in the path /usr/sbin/chkrootkit, we need this path in the cron line below:


crontab -e

To create a cron job like this:

0 3 * * * /usr/sbin/chkrootkit 2>&1 | mail -s "chkrootkit output of my server" [email protected])

That would run chkrootkit every night at 3:00. Replace the path to chkrootkit with the path you received from the above command and exchange the email address with your actual address.

Lynis - Universal Security Auditing Tool and Rootkit Scanner

Lynis (formerly rkhunter) is a security auditing tool for Linux and BSD-based systems. It performs detailed auditing of many security aspects and configurations of your system. Download the latest Lynis sources from

cd /tmp
tar xvfz lynis-3.0.7.tar.gz
mv lynis /usr/local/
ln -s /usr/local/lynis/lynis /usr/local/bin/lynis

Install Lynis security scanner

This will install Lynis to the directory /usr/local/lynis and creates a symlink for easy access. Now run

lynis update info

to check if you use the latest version.

Updating Lynis sec scanner

Now you can scan your system for rootkits by running:

lynis audit system

Lynis will perform a few checks and then stops to give you some time to read the results. Press [ENTER] to continue with the scan.

Linux security audit

In the end, it will show you a summary of the scan.

Security Audit result from Lynis

To run Lynis non-interactively, start it with the --quick option:

lynis --quick

To run Lynis automatically at night, create a cron job like this:

0 3 * * * /usr/local/bin/lynis --quick 2>&1 | mail -s "lynis output of my server" [email protected])

This will run Lynis every night a 3:00h. Replace the email address with your real address.

ISPProtect - Website Malware Scanner

ISPProtect is a malware scanner for web servers, it scans for malware in website files and CMS systems like WordPress, Joomla, Drupal etc. If you run a web hosting server, then the hosted websites are the most attacked part of your server and it is recommended to do sanity checks on them regularly. ISPProtect contains 5 scanning engines:

  • Signature-based malware scanner.
  • Heuristic malware scanner.
  • A scanner to show the installation directories of outdated CMS systems.
  • A scanner that shows you all the outdated WordPress plugins of the whole server.
  • A database content scanner that checks MySQL databases for potentially malicious content.

ISPProtect is not free software, but there is a free trial that can be used without registration to check your server for malware or clean an infected system. The free license key to use the full version of the software once on your server is simply 'trial'.

ISPProtect requires PHP and ClamAV to be installed on the server, this should be the case on most hosting systems. ClamAV is used by ISPProtect in the first scan level with ISPProtect's own Malware signature set. In case you don't have a command-line PHP installed yet, execute:

sudo apt install php7.4-cli php7.4-curl clamav

on Debian 11 or Ubuntu 20.04 or

yum install PHP php-curl

on AlmaLinux, Fedora, CentOS or Rocky Linux.

Run the following commands to install ISPProtect.

mkdir -p /usr/local/ispprotect
chown -R root:root /usr/local/ispprotect
chmod -R 750 /usr/local/ispprotect
cd /usr/local/ispprotect
tar xzf ispp_scan.tar.gz
rm -f ispp_scan.tar.gz
ln -s /usr/local/ispprotect/ispp_scan /usr/local/bin/ispp_scan

To start ISPProtect, run:


The scanner automatically checks for updates, then asks for the key (enter the word "trial" here) and then asks for the path of the websites, normally that's /var/www.

Scan Linux for malware with ISPProtect

Please enter scan key: <-- trial
Please enter path to scan: <-- /var/www

The scanner will now start the scan. Scanning progress is shown. The names of the infected files are shown on the screen at the end of the scan and the results are stored in file in the ISPProtect install directory for later use:

ISPProtect Scan progress

To update ISPProtect, run the command:

ispp_scan --update

To run ISPProtect automatically as a nightly cronjob, create a cron file with nano:

nano /etc/cron.d/ispprotect

and insert the following line:

0 3  * * *   root	/usr/local/ispprotect/ispp_scan --update && /usr/local/ispprotect/ispp_scan --path=/var/www [email protected] --non-interactive --scan-key=AAA-BBB-CCC-DDD

Replace "[email protected]" with your email address, the scan report is sent to this address. Then exchange "AAA-BBB-CCC-DDD" with your license key. You can get a license key here.

A full list of command-line options of ISPProtect ispp_scan command can be obtained with:

ispp_scan --help

Share this page:

17 Comment(s)

Add comment

Please register in our forum first to comment.


By: Randy Thompson

Nothing on clamav?

By: Warren

ISPProtect requires clamav to be installedapt-get install clamavI've also found rkhunter useful. Ubuntu: apt-get install rkhunter

Redhat / CentOS: cd /tmpwget -xzvf rkhunter-1.4.2.tar.gzcd rkhunter-1.4.2./ --layout default --installUpdate:rkhunter --updaterkhunter --propupd


Scan:rkhunter --checkScan without Prompts:rkhunter --check --skip-keypress

By: till

The software Lynis that I covered above is the new software from the author of rkhunter. As far as I can see, it includes the rkhunter functionality and replaces it.

By: Warren

Good to know Thank you :)

By: Warren

Unhide is also usefulUbuntu: apt-get install unhideRedhat/CentOS: yum install unhide

Compile Manually:

#pre-requisitesyum install gccyum install glibc-static

#downloadcd /tmpwget -zxvf unhide-20121229.tgzcd unhide-20121229

#compilegcc -Wall -O2 --static -pthread unhide-linux*.c unhide-output.c -o unhide-linuxgcc -Wall -O2 --static unhide-tcp.c unhide-tcp-fast.c unhide-output.c  -o unhide-tcp

#create symbolic linkcp unhide-linux unhide-tcp /usr/local/bin && cd /usr/local/bin/ && ln -s unhide-linux unhide

#helpunhide -h

#scanunhide -f sysunhide -f procunhide-tcp

By: Warren

I'm not sure why all my spacing is wrong...Try this again;


ISPProtect requires clamav to be installed

apt-get install clamav


I've also found rkhunter useful. 

Ubuntu: apt-get install rkhunter


Redhat / CentOS: 

cd /tmp


tar -xzvf rkhunter-1.4.2.tar.gz

cd rkhunter-1.4.2

./ --layout default --install



rkhunter --update

rkhunter --propupd



rkhunter --check


Scan without Prompts:

rkhunter --check --skip-keypress



Unhide is also useful

Ubuntu: apt-get install unhide

Redhat/CentOS: yum install unhide


Compile Manually:

yum install gcc

yum install glibc-static

cd /tmp


tar -zxvf unhide-20121229.tgz

cd unhide-20121229

gcc -Wall -O2 --static -pthread unhide-linux*.c unhide-output.c -o unhide-linux

gcc -Wall -O2 --static unhide-tcp.c unhide-tcp-fast.c unhide-output.c  -o unhide-tcp

cp unhide-linux unhide-tcp /usr/local/bin && cd /usr/local/bin/ && ln -s unhide-linux unhide



unhide -h



unhide -f sys

unhide -f proc


By: Liam

Thanks for mentioning unhide. Nice tool!

By: Jesse Norell

If you install chkrootkit from debian package, it comes with a cronjob already, just set RUN_DAILY="true" in /etc/chkrootkit.conf.

By: tilaris


for the new lynis

By: Arounan


for the new lynis

By: Mr. Mister

Well done my friend. Very helpful and useful article.

By: danish

great one brah. very helpful

By: felan

lynis is avalable in Debian repo. And the syntax I had to use was lynis --auditor system and not lynis audit system. Just a little info :)

By: Jeff Huckaby

No tool or set of tools is 100% complete. For better rookits, they can avoid detection by all of these tools. 

With RPM based systems, you can use rpm -V to verify a package against its manifest.    You can also use md5sum and compare binaries to known good ones.  

Also you can never trust even the most basic commands when working on a potentially rooted system.  If taking the server offline is not a possibility, then I recommend using statically compiled tools.  This way you can assure that the libs things like bash, lsof, ps and others link into are not hacked.   

For simpler rootkits often used by botnets, I find they often set the immutable bit on files in *bin directories.  You can easily check this using lsattr and look for s - i -a attributes in tools like ps, find etc. 


By: felan

Linux Malware Detection is also worth looking in to. There are scripts on here to install it on debian/ubuntu, but here is a link to their website:

By: Bo Nilsson


I am in the process of building a system for single board computers. I am currently using suricata. I am not a full blown security expert. I am wondering if you would be able to point me in the direction of existing joint ventures working on puting inexpensive hardware and opensource between everybody and the internet. Giving experts something to work on to automate some sort of response to what is happening with our internet.Sincerely,



By: Jon

How do you update Lynis on ubuntu using command line?? Installed and say out of date. Is this trick to get you to buy enterprise?