=======================================================
Scanning for malware by using Rootkit Hunter in Linux 
=======================================================

What Is Rkhunter? 
^^^^^^^^^^^^^^^^^

**Rkhunter (Rootkit Hunter)** is an open-source Unix/Linux-based scanner tool for Linux systems released under GPL that scans backdoors, rootkits, and local exploits on your systems. 

It scans hidden files, wrong permissions set on binaries, suspicious strings in the kernel, etc. 

Install Rootkit Hunter Scanner in Linux Systems
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 

Step 1: Download the latest stable version of the Rkhunter
==========================================================

::

    $ cd /tmp 

::

    $ wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.6/rkhunter-1.4.6.tar.gz 
 
Step 2: Installing Rkhunter
===========================

After downloading the latest version, run the following commands as root to install it. 

::

    $  tar -xvf rkhunter-1.4.6.tar.gz 

::

    $ cd rkhunter-1.4.6 

::

    $ ./installer.sh --layout default --install 

**Sample Output**

.. image:: images/rootkit1.png


Step 3: Updating Rkhunter
=========================

Run the RKH updater to fill the database properties by running the following command. 

::

    $ /usr/local/bin/rkhunter --update 

::

    $ /usr/local/bin/rkhunter --propupd 

**Sample Output** 

.. image:: images/rootkit2.png


Step 4: Setting Cronjob and Email Alerts (optional)
===================================================

Create a file called **rkhunter.sh** under **/etc/cron.daily/**, which then scans your file system every day and sends email notifications to your email id. Create the following file with the help of your favorite editor. 

::

    $ vi /etc/cron.daily/rkhunter.sh 

Add the following lines of code to it and replace **“YourServerNameHere”** with your **“Server Name”** and **“your@email.com”** with your **“Email Id“**. 

::

    $ !/bin/sh 

       ( 

        /usr/local/bin/rkhunter --versioncheck 

        /usr/local/bin/rkhunter --update 

        /usr/local/bin/rkhunter --cronjob --report-warnings-only 

       ) | /bin/mail -s 'rkhunter Daily Run (PutYourServerNameHere)' your@email.com 

Set execute permission on the file. 

::

    $  chmod 755 /etc/cron.daily/rkhunter.sh 

Step 5: Manual Scan and Usage
=============================

To scan the entire file system, run the Rkhunter as a root user. 

::

    $ rkhunter --check  

**Sample Output** 

.. image:: images/rootkit3.png

The above command generates a log file under **/var/log/rkhunter.log** with the check results made by Rkhunter.

::

    $ cat /var/log/rkhunter.log 

You must manually remove infected files by looking up the path in the log file.

For more information and options please run the following command. 

::

    $ rkhunter –help