Skip to main content


Rkhunter is a rootkit detection tool.


On Ubuntu: sudo apt install rkhunter


For a first run, edit /etc/rkhunter.conf and update the following properties:

  • WEB_CMD: this is initially set to /bin/false on Ubuntu, which will cause all updates to fail. This should be able to be set to curl.
  • UPDATE_MIRRORS: by default, this is disabled, but mirrors will need to be updated at some point to get the most up-to-date database1. Set this to 1 to allow updates.
  • MIRRORS_MODE: This defaults to 1 (use only local mirrors), however you can set this to 0 to use a remote mirror as well.

After config changes, check your config files by running rkhunter --config-check.


Get database updates using rkhunter --update

Run rkhunter --check. The following additional options can be used as well:

  • --sk: skips the โ€œPress <ENTER> to continueโ€ checks that exist when running.
  • --rwo: reports warnings only

When youโ€™re comfortable with the state of the system, running rkhunter --propupd will update your local database of the current state.

Regular Scanningโ€‹

Apply the following changes to /etc/default/rkhunter.conf:

  • CRON_DAILY_RUN="true": Runs a scan daily
  • CRON_DB_UPDATE="true": Updates the database weekly
  • APT_AUTOGEN="true": Automatic database updates (what is the difference between the two of these?)


  1. Itโ€™s possible with an infected system that a malicious database could be uploaded, so in sensitive environments you probably only want to accept local mirrors. I donโ€™t know what the risk of this would be however. โ†ฉ