Detect and Clean a hacked server T0rnkit Tutorial Published: Apr 22, 2004
  • Rating


Rkhunter is a very useful tool that is used to check for trojans, rootkits, and other security problems.

Rkhunter is a very useful tool that is used to check for trojans, rootkits, and other security problems. This tutorial will touch on installing and setting up a daily report for rkhunter.

Update Aug. 23, 2005


tar -zxvf rkhunter-1.2.7.tar.gz
cd rkhunter-1.2.7

Now you can run a test scan with the following command:

/usr/local/bin/rkhunter -c

How to setup a daily scan report?

pico /etc/cron.daily/

add the following replacing your email address:

(/usr/local/bin/rkhunter -c --cronjob 2>&1 | mail -s "Daily Rkhunter Scan Report"

chmod +x /etc/cron.daily/

Updating rkhunter
gets the latest database updates from their central server and matches your OS better to prevent false positives.

rkhunter --update

 I just got a false positive!! What do i do?

False positives are warnings which indicates there is a problem, but aren't really a problem. Example: some Linux distro updated a few common used binaries like `ls` and `ps`. You (as a good sysadmin) update the new packages and run (ofcourse) daily Rootkit Hunter. Rootkit Hunter isn't yet aware of these new files and while scanning it resports some "bad" files. In this case we have a false positive. You could always have your datacenter or a system administrator check out the server to verify that it is not compromised.

More information on rkhunter can be found here:

  • Rating


Related Articles

Comments (3)

  • Gravatar - Steven Ciaburri
    Steven Ciaburri 04:35, May 2, 2004
    PLease note run rkhunter you will find more items infected.

  • Gravatar - Jackson
    Jackson 09:33, October 23, 2005
    You should NEVER clean a rooted or comprimized system. <br />
    <br />
    You will never get all the files the hacker put in place on the server. You MUST and this is the ONLY way to make sure the hacker can not get back in to your system again is to either Format and reinstall or install a new drive and OS then salve the old drive over to the new and boot up... Mount the old drive and copy over your files... NO BINARIES THOUGH! Just user files.<br />
    <br />
    This has to be the stupidest tutorial ever. Any expert knows the only way to clean a rooted system is to start from scratch.<br />
    <br />
  • Gravatar - Kevin
    Kevin 23:47, January 18, 2006
    I agree with you Jackson. It's like dropping a cake on a wet, dirty floor. If you just give it a simple wipe on 1/4 of the cake. It's still dirty, but not as visably. Who knows? The hacker could have been smart and installed a few more root kits incase you follow this.

Add Your Thoughts is a hosting directory, not a web host.

Copyright © 1998-2018