Rootkit Hunter and ChkRootKit

Anyone else using this?

Install it:
sudo apt install rkhunter

Run it:
sudo rkhunter -c --enable all

Or this:

Install it:
sudo apt install chkrootkit

Run it:
sudo chkrootkit

Or, to run them both from a keyboard shortcut:
gnome-terminal -- /bin/sh -c 'sudo rkhunter --update; sudo rkhunter -c --enable all; sudo chkrootkit; echo "$(read -r -p "Press Enter to exit..." key)"'

One thing I will note, if you run prelink (which speeds up DLL loading to speed up program loading), rkhunter complains (until you run sudo rkhunter --propupd) because in updating the linked library links, prelink changes the checksums of the executables. I didn't notice much of a speed increase using prelink.

1 Like

I occassionally use Rkhunter and always run these 4 commands in sequence:

sudo rkhunter --propupd --pkgmgr dpkg

sudo rkhunter --update

sudo rkhunter --check --pkgmgr dpkg

sudo less /var/log/rkhunter.log


I think I did include reference to these two applications to check for 'rootkits' (Rootkits are platform agnostic and could attack Windows, Mac or GNU/Linux).
One thing you have to be aware of is that if you make any modifications to the system like installing a new application they might throw false positives because it looks at the baseline packages at point of when the rootkit hunters were installed.


If you run:
sudo rkhunter --update
sudo rkhunter --versioncheck
... and you get the error:
"Invalid WEB_CMD configuration option: Relative pathname: /bin/false"
... the fix is to edit /etc/rkhunter.conf. Change the following three variables:

WEB_CMD="/bin/false" → WEB_CMD=""

Then re-run the commands:
sudo rkhunter --update
sudo rkhunter --versioncheck