How to Detect Rootkits with rkhunter and chkrootkit on RHEL 7

A rootkit is a collection of malicious software designed to maintain persistent, hidden access to a compromised system while concealing its presence from the administrator and standard system tools. Once installed, rootkits can replace core binaries, hide processes and network connections, and exfiltrate data undetected for months. Detecting them requires dedicated scanning tools that look for tell-tale signs: modified system binaries, suspicious hidden files, anomalous kernel modules, and known malicious file signatures. This guide shows you how to deploy two complementary rootkit detectors on RHEL 7 — rkhunter (Rootkit Hunter) and chkrootkit — configure them correctly, interpret their output, and automate regular scans.

Prerequisites

  • RHEL 7 system with root access
  • EPEL repository enabled (for rkhunter)
  • Internet access or local mirror for package downloads
  • For chkrootkit from source: gcc and make build tools

Step 1: Install rkhunter from EPEL

Enable EPEL if not already active:

yum install epel-release -y

Install rkhunter:

yum install rkhunter -y

Verify the installation:

rkhunter --version

Step 2: Initialize the rkhunter File Properties Database

Before running a scan, rkhunter must build a baseline database of known-good file properties (hashes, permissions, owners) for critical system files. Run this command immediately after installation on a system you trust to be clean:

rkhunter --propupd

This populates /var/lib/rkhunter/db/rkhunter.dat. Any future scan compares live file properties against this baseline. If you run --propupd on an already-compromised system, the rootkit’s modified binaries will be recorded as legitimate, defeating this check — run it as early as possible, ideally right after provisioning.

Update the database again after legitimate package updates to avoid false positives from patched binaries:

yum update -y
rkhunter --propupd

Step 3: Run a Full rkhunter Scan

Perform a complete system check:

rkhunter --check

The scan pauses at each test category and waits for you to press Enter. To run non-interactively (for cron jobs), use the --sk (skip keypress) flag:

rkhunter --check --sk

To suppress all output except warnings:

rkhunter --check --sk --quiet

The detailed log is written to /var/log/rkhunter.log regardless of screen verbosity.

Step 4: Interpreting rkhunter Output

rkhunter classifies each check result as:

  • [OK] — No issues found
  • [Warning] — A suspicious condition was detected; investigate immediately
  • [Not found] — A tool or file expected to be present is missing
  • [Skipped] — The check was not applicable to this system configuration

View a summary of warnings from the most recent scan:

grep -i warning /var/log/rkhunter.log

A common false positive is a modified SSH binary after a legitimate update. Before treating any warning as a confirmed infection, cross-reference with the RPM database:

rpm -V openssh-server

If RPM reports the file as unchanged, the rkhunter warning is a false positive. If RPM shows a discrepancy (missing or modified file flag), treat it as a genuine alert.

Step 5: Configure /etc/rkhunter.conf

rkhunter’s configuration file at /etc/rkhunter.conf lets you suppress known-legitimate findings and tune the scanner for your environment. Always edit a copy and validate it:

cp /etc/rkhunter.conf /etc/rkhunter.conf.bak
vi /etc/rkhunter.conf

Whitelisting Hidden Directories

Some legitimate software uses hidden directories. Add them to avoid false positives with the ALLOWHIDDENDIR directive:

ALLOWHIDDENDIR=/dev/.udev
ALLOWHIDDENDIR=/dev/.initramfs

Whitelisting Hidden Files in /dev

Certain device management subsystems create hidden files in /dev. Whitelist known-good ones:

ALLOWDEVFILE=/dev/.udev/rules.d/99-root.rules

Enabling Email Alerts

Configure rkhunter to send email when warnings are found:

MAIL-ON-WARNING=root@localhost
MAIL_CMD=mail -s "[rkhunter] Warning found on $(hostname)"

After editing the configuration, validate it:

rkhunter --config-check

Step 6: Install chkrootkit

chkrootkit is not available in EPEL for RHEL 7 and must be compiled from source or installed from a trusted binary package.

Option A: Compile from Source

yum install gcc make wget -y
cd /usr/local/src
wget https://www.chkrootkit.org/dl/chkrootkit.tar.gz
tar -xzf chkrootkit.tar.gz
cd chkrootkit-*/
make sense

After a successful build, the chkrootkit binary is in the current directory. Install it system-wide:

cp chkrootkit /usr/local/sbin/
chmod 700 /usr/local/sbin/chkrootkit

Option B: Install from a Trusted Binary Repository

Some third-party RHEL-compatible repositories provide a pre-built RPM. If using a binary package, verify its GPG signature before installing.

Step 7: Run chkrootkit

Execute a full scan:

chkrootkit

chkrootkit checks for over 70 known rootkits, trojanized binaries, suspicious processes, and network interfaces in promiscuous mode. Output lines are prefixed with:

  • not infected — clean
  • INFECTED — known malicious pattern detected (investigate immediately)
  • not tested — the check was skipped (usually because a required utility was not found)

To run a specific test only (e.g., check for promiscuous network interfaces):

chkrootkit -t promisc

List all available tests:

chkrootkit -l

Save output to a log file for record-keeping:

chkrootkit > /var/log/chkrootkit-$(date +%F).log 2>&1

Step 8: Automate Both Scanners with Cron

Create a combined scanning script that runs both tools and saves timestamped logs:

cat > /usr/local/bin/rootkit-scan.sh <<'EOF'
#!/bin/bash
LOG_DIR="/var/log/rootkit-scans"
STAMP=$(date +%F)
mkdir -p "$LOG_DIR"

echo "=== rkhunter scan: $STAMP ===" > "$LOG_DIR/rkhunter-$STAMP.log"
rkhunter --check --sk --quiet >> "$LOG_DIR/rkhunter-$STAMP.log" 2>&1

echo "=== chkrootkit scan: $STAMP ===" > "$LOG_DIR/chkrootkit-$STAMP.log"
/usr/local/sbin/chkrootkit >> "$LOG_DIR/chkrootkit-$STAMP.log" 2>&1

# Alert if any warnings were found
if grep -q "Warning" "$LOG_DIR/rkhunter-$STAMP.log"; then
  mail -s "[ALERT] rkhunter warnings on $(hostname)" root < "$LOG_DIR/rkhunter-$STAMP.log"
fi

if grep -q "INFECTED" "$LOG_DIR/chkrootkit-$STAMP.log"; then
  mail -s "[ALERT] chkrootkit INFECTED on $(hostname)" root < "$LOG_DIR/chkrootkit-$STAMP.log"
fi
EOF
chmod +x /usr/local/bin/rootkit-scan.sh

Schedule the script to run every day at 3 AM:

echo "0 3 * * * root /usr/local/bin/rootkit-scan.sh" > /etc/cron.d/rootkit-scan

Step 9: Comparing Results Over Time

Retain logs from every scan run to detect new warnings that appear after system changes. Compare consecutive rkhunter logs with diff:

diff /var/log/rootkit-scans/rkhunter-2026-05-10.log 
     /var/log/rootkit-scans/rkhunter-2026-05-17.log

New warnings that appear in the newer file but not in the older one warrant immediate investigation. A sudden appearance of a [Warning] on a previously clean binary — especially after no package updates — is a strong indicator of tampering.

Update the rkhunter database after every deliberate yum update to keep the baseline current and prevent legitimate updates from generating persistent false alarms:

yum update -y && rkhunter --propupd

Conclusion

rkhunter and chkrootkit serve complementary roles in rootkit detection on RHEL 7. rkhunter excels at file integrity checking against a known-good baseline, detecting modified SUID binaries, suspicious scripts, and configuration anomalies. chkrootkit focuses on behavioral signatures of known rootkit families and live system characteristics like promiscuous network interfaces. Neither tool is foolproof — a sufficiently sophisticated rootkit can evade detection by any scanner — but together they raise the bar significantly and provide an auditable record of system health over time. Combine them with a strong filesystem integrity solution such as AIDE, limit server access with firewall rules and two-factor authentication, and treat any scan warning as requiring investigation rather than dismissal.