Anyone else using this?
Install it:
sudo apt install rkhunter
Run it:
sudo rkhunter -c --enable all
Or this:
Install it:
sudo apt install chkrootkit
Run it:
sudo chkrootkit
Or, to run them both from a keyboard shortcut:
gnome-terminal -- /bin/sh -c 'sudo rkhunter --update; sudo rkhunter -c --enable all; sudo chkrootkit; echo "$(read -r -p "Press Enter to exit..." key)"'
One thing I will note, if you run prelink (which speeds up DLL loading to speed up program loading), rkhunter complains (until you run sudo rkhunter --propupd) because in updating the linked library links, prelink changes the checksums of the executables. I didn't notice much of a speed increase using prelink.
2 Likes
I occassionally use Rkhunter and always run these 4 commands in sequence:
sudo rkhunter --propupd --pkgmgr dpkg
sudo rkhunter --update
sudo rkhunter --check --pkgmgr dpkg
sudo less /var/log/rkhunter.log
3 Likes
I think I did include reference to these two applications to check for 'rootkits' (Rootkits are platform agnostic and could attack Windows, Mac or GNU/Linux).
One thing you have to be aware of is that if you make any modifications to the system like installing a new application they might throw false positives because it looks at the baseline packages at point of when the rootkit hunters were installed.
4 Likes
If you run:
sudo rkhunter --update
sudo rkhunter --versioncheck
... and you get the error:
"Invalid WEB_CMD configuration option: Relative pathname: /bin/false"
... the fix is to edit /etc/rkhunter.conf. Change the following three variables:
MIRRORS_MODE=1 → MIRRORS_MODE=0
UPDATE_MIRRORS=0 → UPDATE_MIRRORS=1
WEB_CMD="/bin/false" → WEB_CMD=""
Then re-run the commands:
sudo rkhunter --update
sudo rkhunter --versioncheck
4 Likes