# Rootkit Scans

A rootkit is a collection of software tools that enable an attacker to gain root or administrative-level access to a computer or network and maintain this access covertly.

====================================================================================

### chkrootkit

`chkrootkit` (Check Rootkit) is an open-source security tool used to detect rootkits and other malicious software on Linux systems.

To use chkrootkit, you'll need to install the `chkrootkit `package.

#### Running `chkrootkit`

To perform a basic scan, you simply run:

```
chkrootkit
```

##### Additional Options

<table border="1" id="bkmrk--v-verbose-output--r" style="border-collapse: collapse; width: 100%;"><colgroup><col style="width: 50%;"></col><col style="width: 50%;"></col></colgroup><tbody><tr><td>-v</td><td>verbose output</td></tr><tr><td>-r /path/to/scan</td><td>Specify a specific path to scan</td></tr><tr><td>-q</td><td>suppress warnings</td></tr><tr><td>&gt; /path/to/log</td><td>Specify log file for output</td></tr></tbody></table>

====================================================================================

### RKHunter

`rkhunter` (Rootkit Hunter) is another popular open-source security tool designed to detect rootkits, backdoors, and other possible signs of compromise on Linux systems.

To use rkhunter, you'll need to install the `rkhunter`package.

#### Running rkhunter

A basic rootkit scan can be run using the below:

```
rkhunter --check
```

##### Additional Options

<table border="1" id="bkmrk---update-update-rkhu" style="border-collapse: collapse; width: 100%;"><colgroup><col style="width: 50%;"></col><col style="width: 50%;"></col></colgroup><tbody><tr><td>--update</td><td>Update rkhunter's database of known rootkits</td></tr><tr><td>--verbose</td><td>Verbose output</td></tr><tr><td>--logfile /path/to/log</td><td>Specify a log file for rkunter output</td></tr></tbody></table>

\------------------------------------------------------------------------------------------------------------------------------------------------

#### Understanding the Output

The output of `rkhunter` includes various sections and categories:

- **\[OK\]**: Indicates that the item being checked is within expected parameters.
- **\[Warning\]**: Highlights potential security issues or suspicious findings that should be investigated further.
- **\[Suspicious\]**: Flags items that may require attention due to unusual or unexpected behavior.
- **\[Not Found\]**: Indicates that an expected file or configuration item was not found.

\------------------------------------------------------------------------------------------------------------------------------------------------

#### rkhunter baseline

rkhunter includes the ability to create a 'baseline'. This essentially means that a scan of the system is run, and then future scans will compare against the existing baseline for any changes.

<p class="callout warning">If you suspect your system is compromised or infected with malware (including rootkits), refrain from using `rkhunter --propupd`. Running this command in such cases can potentially embed the infection into the baseline, compromising `rkhunter`’s ability to accurately detect the malware.</p>

**Create a baseline**

```
rkhunter --propupd
```

====================================================================================