Is my server compromised?
- On-Premise Server + WebMail Installations: Version 6.0 > Current Version
- Webmail Only Installations: Version 6.0 > Current Version
Rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. Rkhunter scans the file system by comparing SHA-1 hashes of important files, with confirmed safe files in online databases. Rkhunter searches for the default directories of the rootkits, hidden files, wrong permissions, suspicious strings in kernal modules and runs special tests for Linux.
- Downloading Rkhunter
The first thing you need to do is download the latest version of Rkhunter. You can do this by either going to http://www.rootkit.nl/projects/rootkit_hunter.html or by using the Wget command listed below:
wget "http://internode.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.0/rkhunter-1.4.0.tar.gz "
- Installing Rkhunter
After you have downloaded the latest version of Rkhunter, you will need to run the following commands as the root user in order to install Rkhunter:
tar -xvf rkhunter-1.4.0.tar.gz
./installer.sh --layout default --install
- Updating Rkhunter
Once you have installed Rkhunter, you will need to update it, this will fill the database properties by using the following commands:
- Setting Cronjob and Email Alerts
You will now need to create a file called rkhunter.sh in /etc/cron.daily/ using your preferred editor. This file will scan your system daily, sending email notifications to your email id.
- Now you need to add the following lines into the file, replacing "YourServerNameHere" and "firstname.lastname@example.org" with the appropriate details.
/usr/local/bin/rkhunter --cronjob --report-warnings-only
) | /bin/mail -s 'rkhunter Daily Run (YourServerNameHere)' email@example.com
Now, set execute permissions on the file by entering the following command:
chmod 755 /etc/cron.daily/rkhunter.sh
- Manual Scan and Usage
You can now scan the entire file system by running the following command. Be sure to run the Rkhunter as the root user.
The command that you just entered will output a log file in /var/log/rkhunter.log, displaying the check files created by Rkhunter.
If you would like more information regarding Rkhunter run the following command: