Support
Rkhunter

Rkhunter

Rkhunter — Old but Handy Rootkit Scanner Why It Matters Rootkits dig deep into Linux, hiding files, tweaking binaries, and loading shady kernel modules. Standard monitoring often misses them. Rkhunter has been around for years as a simple check-up tool. It doesn’t pretend to be a full-blown EDR — just a script that goes through the system looking for common traces of tampering. Admins still keep it in their bag of tricks for audits, quick sanity checks, or incident response when something feels

Share buttons
Facebook
Twitter
LinkedIn
Reddit
Telegram
WhatsApp
  • OS: Windows / Linux / macOS
  • Size: 91 MB
  • Version: 3.0.2
  • Download: 143 stars
download
Request Setup

Rkhunter — Old but Handy Rootkit Scanner

Why It Matters

Rootkits dig deep into Linux, hiding files, tweaking binaries, and loading shady kernel modules. Standard monitoring often misses them. Rkhunter has been around for years as a simple check-up tool. It doesn’t pretend to be a full-blown EDR — just a script that goes through the system looking for common traces of tampering. Admins still keep it in their bag of tricks for audits, quick sanity checks, or incident response when something feels off.

How It Works

Rkhunter is essentially a bash script with a collection of tests. Run it, and it compares system binaries with known hashes, looks for files that shouldn’t be there, scans modules loaded into the kernel, and flags oddities in startup scripts. Before scanning, updating signatures with `rkhunter –update` is a must, otherwise results can be stale. The tool spits out logs and console warnings. It won’t tell you “infected” or “clean” with certainty — it points at suspicious bits, and the admin has to decide what’s noise and what’s real.

Technical Notes

Area Notes
OS support Linux and other Unix-like platforms
What it does Rootkit detection, integrity checks on binaries
Looks at File hashes, hidden files, kernel modules, init/startup scripts
Output Console messages + /var/log/rkhunter.log
Updates Uses online database (`rkhunter –update`)
License GPL, open source

Deployment Notes

– Install from your distro repo or compile from source.
– Run `rkhunter –update` first to grab latest data.
– Then `rkhunter –check` for the actual scan.
– Review /var/log/rkhunter.log carefully — most results need context.
– Often tied into cron so it runs daily or weekly in the background.

Where It Fits

– Audits: quick host integrity check before compliance reviews.
– Incident response: first-pass tool when a box looks suspicious.
– Daily hygiene: routine scans on Linux servers, even if noisy.

Caveats

– Signature-driven, so stealthy or custom rootkits may slip through.
– High rate of false positives — human review is unavoidable.
– Only detects, never cleans.
– Can be slow on big filesystems with lots of binaries.

Rkhunter security setup and hardening guide | Armosecure

What is Rkhunter?

Rkhunter is a free and open-source Linux security tool designed to detect and prevent rootkits, backdoors, and other malicious software from compromising a system. It is a command-line based utility that scans the system for any signs of unauthorized access or malicious activity, providing system administrators with a powerful tool for endpoint hardening and security auditing.

Main Features of Rkhunter

Rkhunter offers several key features that make it an essential tool for Linux security, including:

  • Rootkit detection: Rkhunter scans the system for any signs of rootkits, including hidden files, directories, and processes.
  • Backdoor detection: Rkhunter checks for any backdoors that may have been installed on the system, allowing unauthorized access.
  • System file integrity checking: Rkhunter verifies the integrity of system files, ensuring that they have not been modified or tampered with.
  • Configuration file checking: Rkhunter checks configuration files for any signs of tampering or unauthorized changes.

Installation Guide

Downloading Rkhunter

Rkhunter can be downloaded from the official website, and it is also available in most Linux distributions’ package repositories. To download Rkhunter, follow these steps:

  1. Open a terminal window and navigate to the directory where you want to download Rkhunter.
  2. Use the wget command to download the latest version of Rkhunter: wget http://www.rkhunter.sourceforge.net/files/rkhunter-.tar.gz
  3. Extract the contents of the tarball using the tar command: tar -xvf rkhunter-.tar.gz

Installing Rkhunter

Once you have downloaded and extracted Rkhunter, you can install it using the following steps:

  1. Navigate to the directory where you extracted Rkhunter.
  2. Run the installation script using the following command: ./install.sh
  3. Follow the prompts to complete the installation process.

Technical Specifications

System Requirements

Rkhunter is designed to run on Linux systems, and it requires the following system specifications:

  • Operating System: Linux (any distribution)
  • Processor: Intel or AMD processor
  • Memory: 512 MB RAM (1 GB recommended)
  • Storage: 100 MB free disk space

Supported File Systems

Rkhunter supports the following file systems:

  • ext2
  • ext3
  • ext4
  • XFS
  • JFS

Pros and Cons

Pros of Rkhunter

Rkhunter offers several advantages, including:

  • Free and open-source: Rkhunter is completely free to download and use.
  • Highly customizable: Rkhunter can be customized to meet the specific needs of your system.
  • Regular updates: Rkhunter is regularly updated to ensure that it can detect the latest rootkits and backdoors.

Cons of Rkhunter

Rkhunter also has some disadvantages, including:

  • Steep learning curve: Rkhunter can be difficult to use for beginners.
  • Resource-intensive: Rkhunter can consume significant system resources during scans.
  • False positives: Rkhunter may generate false positive results, which can be time-consuming to investigate.

FAQ

How often should I run Rkhunter?

Rkhunter should be run regularly, ideally once a week, to ensure that your system remains secure.

Can I use Rkhunter with other security tools?

Yes, Rkhunter can be used in conjunction with other security tools, such as antivirus software and firewalls.

Is Rkhunter compatible with all Linux distributions?

Rkhunter is designed to be compatible with most Linux distributions, but it may not work with all distributions. Check the Rkhunter website for a list of supported distributions.

Related articles

Other programs

osquery

osquery — SQL Lens on System State Why It Matters Admins spend time piecing together info: ps, netstat, digging through /var/log. Every system looks a bit different, and scripts pile up fast. osquery flips it around. It treats the OS as a database. System info becomes rows and tables you can query with SQL. Instead of custom scripts per host, you get one language to ask questions across Linux, macOS, and Windows.

ZoneAlarm

ZoneAlarm — Personal Firewall and Security Suite for Windows Why It Matters ZoneAlarm has been around since the early 2000s, one of the first personal firewalls that regular users actually installed. While Windows now ships with its own firewall, ZoneAlarm kept a niche by adding extras: application control, phishing protection, and even antivirus in paid versions. For admins, it’s less about enterprise deployment and more about individual desktops or small offices that want stronger outbound con

Zeek

Zeek — Network Security Monitor Why It Matters Signature-based IDS tools scream when they see something they know. Zeek works differently. It doesn’t just throw alerts; it records what’s going on in the network in detail. Logs for connections, DNS lookups, HTTP sessions, TLS handshakes. That context matters: instead of one-off alerts, analysts see the bigger picture. That’s why many SOCs keep Zeek running as a core data source.

YARA

YARA — Pattern Matching for Malware Research Why It Matters Antivirus engines often feel like black boxes — they detect, but you don’t see how. YARA flips that around. It lets researchers and incident responders write their own rules to spot malware families or suspicious files. Over the years it became a standard in threat hunting: when someone says “we shared YARA rules,” they mean reusable patterns for catching malware or IoCs.

Wazuh

Wazuh — Open-Source SIEM and Security Platform Why It Matters OSSEC was good as a host intrusion detection system, but it felt dated. Wazuh grew out of OSSEC and expanded into something closer to a full SIEM. It doesn’t just watch logs on one host — it can collect data from endpoints, cloud services, containers, and feed it all into dashboards. For admins, it means one platform that covers intrusion detection, file integrity, vulnerability checks, and compliance reporting.

Tripwire

Tripwire — Classic File Integrity Monitor Why It Matters Break-ins aren’t always obvious. No noisy alerts, no big red flags — just one binary swapped out, or a config file quietly edited. Tripwire was built for that job: checking if critical files change when they shouldn’t. It’s one of the oldest tools in the space, but admins still use it as a simple integrity watchdog.

+1 (415) 784-2297

Speak with our team

info@armosecure.com

Chat with our team

Oak Avenue, Suite

Contact with our team

Twitter Reddit Telegram Facebook Youtube
Main pages
Utility pages
© 2015–2025

Privacy policy

Submit your application