How to Scan for Rootkits on a Linux Server

When it comes to keeping your Linux server safe, rootkits are a major concern.

They are sneaky malware that can infect your Linux server without being noticed, making them a nightmare for server administrators.

In this tutorial, I’ll walk you through the steps to scan for rootkits on your Linux server using Rootkit Hunter.

Preparation

To make the most of this guide, ensure you have a properly set up Ubuntu server.

If you don’t have one, consider getting a free VPS server to follow along.

Following along on your own server will enhance your understanding and practical experience.

What are Rootkits?

Rootkits are nasty pieces of malware that can deeply hide in your server, making it sometimes impossible to detect them.

Once a rootkit is on your server, it can do bad things like taking control, stealing important information, and letting hackers in.

Rootkits could replace commands like ls or ps with their own infected versions that work normally without you noticing.

They can infect any operating system, including Linux.

Key Considerations

Rootkits can only be planted after gaining administrative access to the server.

That’s why you should prevent bad actors from gaining access to your server and planting them.

Following essential security measures such as adding a non-root user and disabling root user access, implementing a firewall, securing SSH, and more could prevent rootkits from being installed on your server without the need for detection software.

Now, the last crucial point is that there is no software that is truly effective at detecting all rootkits.

Rootkit Hunter is a good option but cannot detect every type of them.

So, I highly recommend thoroughly hardening and securing your Linux server following all best practices because this prevents rootkits from being installed in the first place.

Installing Rootkit Hunter

To install Rootkit Hunter, use the following command:

sudo apt install rkhunter

Once it is installed, the first thing to do is to run this command:

sudo rkhunter --propupd

This command is used to update the local database file with the current properties of system files.

Then we need to update the rootkit signatures but before doing this we need to adjust three things in its main configuration file.

Open the /etc/rkhunter.conf file and locate these three variables:

UPDATE_MIRRORS
MIRRORS_MODE
WEB_CMD

Change their values to look like this:

UPDATE_MIRRORS=1
MIRRORS_MODE=0
WEB_CMD=""

Now, use the following command to update the rootkit signatures:

sudo rkhunter --update

And that’s it for installing Rootkit Hunter.

Running a Scan

After successfully installing and updating Rootkit Hunter, it is time for a scan.

Use the following command to scan for rootkits:

sudo rkhunter -c

The scan will take some time and will consume server resources, so ensure you have sufficient resources available.

When running a scan using only the -c option, Rootkit Hunter will continue to prompt you to press the ENTER key to proceed with scanning.

Use the following command instead:

sudo rkhunter -c --cronjob --rwo

The --cronjob option will make the program run as a cron job, causing it to run the entire scan without asking you to press the ENTER key.

The --rwo option will instruct the program to only log warnings instead of logging everything.

You can also use the --sk option to prevent the program from prompting you to press the ENTER key.

Conclusion and Final Thoughts

Great job reaching the end!

I hope this tutorial has been super helpful for you in protecting your Linux server from rootkits.

However, there’s more to securing Linux servers — advanced measures that I’ve covered comprehensively in my complete server security and hardening guide.

It’s a collection of all security and hardening measures with links to detailed guides for each.

By following these guides one by one, your server will be thoroughly secured.

If you found value in this tutorial or have any questions or feedback, please don’t hesitate to share your thoughts in the comments section below.

Your input is greatly appreciated, and you can also contact me directly if you prefer.