Skip to content
Related Articles

Related Articles

How to Install Rkhunter Tool in Kali Linux ?

Improve Article
Save Article
  • Last Updated : 17 Jun, 2021
Improve Article
Save Article

Rkhunter (Rootkit Hunter) is a good fit for POSIX systems and can aid in the discovery of rootkits and other security flaws. Rkhunter fully examines files (both hidden and visible), default directories, kernel modules, and permissions that have been mishandled.

RootKit Hunter is another alternative to chkrootkit. It’s also a good complement since if you find rootkits using one of them, you’ll need to use the other to avoid false positives. It is used to keep a Linux system safe from viruses. It is a Linux operating system anti-virus and anti-malware program. It runs a number of tests to see if the server has been infected with rootkits, such as looking for rootkit-specific files, incorrect file permissions for executable binaries, and identifying kernel modules, among other things.

Hidden files, incorrect binary permissions, suspicious strings in kernel backdoors, and potentially local vulnerabilities are all scanned by RootKit Hunter. It accomplishes this by comparing the SHA-1 hashes of critical files to well-known hashes in Internet databases. The rootkit is highly attackable and severely damaging to the system. It employs a series of tools to establish backdoors and conceal tracks, allowing the attacker to keep access to the system and login as root at any moment.

RKHunter Features:

  • The MD5 checksum test determines if a file has been modified.
  • The trojan that detects signatures
  • Locate files that have been hidden.
  • LKM Detection of Suspicious Core Modules
  • Identify the monitoring port on which the system has been turned on.
  • the test for the detecting system

Rootkits are divided into two categories:

  • file-level
  • kernel-level

File-level Rootkit

Typically, after infiltrating the system via application or system vulnerabilities, the system’s critical files are updated to disguise themselves. The normal files were replaced by Trojan horse programs and transformed into shell programs when the system was infected by a rootkit, and the concealed backdoor applications were within.

Kernel-level Rootkit

This type of infiltration is more sophisticated than a file-level rootkit. It can allow an attacker to take total control of the system’s bottom layer. The attacker can now change the system kernel to intercept the commands sent to the kernel by the executing software. And then point it to the intruder’s chosen software, which you should launch.


Step 1: In Linux, install Rootkit Hunter Scanner Tool. If you’re using Kali Linux, use this terminal command to install it.

sudo apt-get install rkhunter -y

Step 2: Then update this tool.

rkhunter –update


You may use the following command to see if your computer has been infected with a rootkit:

rkhunter –check

As you can see, RkHunter, like chkrootkit, starts by analyzing the system binaries, as well as libraries and strings:

As you can see, unlike chkrootkit, RkHunter will ask you to hit ENTER to proceed to the next phase. Whereas RootKit Hunter previously searched for the system binaries and libraries, it will now check for known rootkits:

To allow RkHunter to continue searching for rootkits, press ENTER:

Then, similar to chkrootkit, it will scan your network interfaces as well as ports known to be used by backdoors and trojans:

Finally, a summary of the results will be printed.

 Rkhunter runs various well-known checks on the system by default. However, you may also use ‘–scan-knownbad-files’ to discover unknown errors:

rkhunter -c -scan-knownbad-Files

The rootkit vulnerabilities database system is used to identify Rkhunter; the database is updated often, thus it’s critical to maintain your database up to date.

Results recorded in /var/log/rkhunter.log are always accessible:

My Personal Notes arrow_drop_up
Related Articles

Start Your Coding Journey Now!