Scanning for Rootkits
Rootkits are malware that hide from standard detection tools. Two widely used rootkit scanners are rkhunter and chkrootkit.
Install and Run rkhunter
apt install rkhunter -y
# Update the signature database:
rkhunter --update
# Baseline the system (run once on a clean system):
rkhunter --propupd
# Run a check:
rkhunter --checkResults show OK, Warning, or Found. Investigate any warnings.
Common False Positives
rkhunter may warn about legitimate tools. Review each warning in context before acting. Common false positives include: custom SSH configurations, certain system tools, and Perl/Python binaries.
Schedule Weekly Scans
crontab -e
# Add:
0 3 * * 0 rkhunter --check --skip-keypress --report-warnings-only | mail -s "rkhunter report" you@example.comInstall and Run chkrootkit
apt install chkrootkit -y
chkrootkitReview any lines starting with INFECTED. Many results are false positives — cross-reference with rkhunter and check the specific file manually.
What to Do If You Find a Rootkit
- A confirmed rootkit means the server is compromised and cannot be fully trusted
- Take a snapshot or backup if needed for forensics
- The safest response is a complete OS reinstall — open a support ticket requesting a reinstall
- Change all passwords after the reinstall
