Detect Rootkits and Malware on Linux
Use chkrootkit, rkhunter, ClamAV, and Lynis to scan a Linux system for rootkits and malware — what each tool actually checks and how to read the results.
Before you start
- ▸Root or sudo access on the target system
- ▸Internet access to download packages and update signatures
- ▸Basic familiarity with reading terminal output and log files
Rootkits and malware on Linux are rare but not mythical. Shared hosting environments, exposed SSH ports, outdated kernel modules, and compromised supply chains are real attack surfaces. These tools won't replace a solid prevention posture, but they give you eyes on what's already running — and on a compromised system, that matters. Here's how to use the four most widely deployed scanning tools, what they actually check, and how to interpret their output honestly.
What These Tools Actually Do
Before running anything, understand the limitations:
- chkrootkit — compares binaries and running processes against known rootkit signatures. It runs in userspace, so a sophisticated rootkit that has already compromised system calls can fool it.
- rkhunter — similar signature approach but broader: checks file hashes, hidden files, suspicious strings in binaries, and network ports. Also userspace-only.
- ClamAV — antivirus engine primarily targeting known malware by signature. More useful for scanning file repositories, mail servers, or files of unknown origin than for detecting live rootkits.
- Lynis — a security auditing tool, not strictly a malware scanner. It audits system configuration, packages, and hardening posture and can flag conditions that indicate compromise.
The honest rule: if your kernel is compromised, no userspace scanner is fully trustworthy. For high-stakes forensics, boot from a clean live USB and scan offline. For routine monitoring these tools are valuable and practical.
Install the Tools
Debian / Ubuntu
sudo apt update
sudo apt install chkrootkit rkhunter clamav clamav-daemon lynis
Fedora / RHEL / Rocky
chkrootkit and rkhunter are in EPEL. Enable it first if needed.
sudo dnf install epel-release # Fedora skips this step
sudo dnf install chkrootkit rkhunter clamav clamav-update lynis
Arch Linux
sudo pacman -S rkhunter clamav lynis
yay -S chkrootkit # AUR
chkrootkit
chkrootkit is fast and simple. Run it as root; it executes a series of shell-based tests against common rootkit behavior patterns.
sudo chkrootkit
Output is line-by-line per test. You're looking for INFECTED in the results. not found means the rootkit pattern wasn't detected; not tested means the test wasn't applicable.
A known false positive on many modern kernels: the packet sniffer test will flag any active network interface in promiscuous mode, which is normal for virtualized hosts and some VPN configurations. Confirm with:
ip link show | grep PROMISC
If only your VPN or bridge interface appears, it's expected. If eth0 or your primary NIC is flagged without explanation, investigate further.
rkhunter
rkhunter needs an initial baseline before it can detect changes. If you're installing it on a system you already suspect is compromised, the baseline itself is untrustworthy — scan from a live environment instead.
Build the initial file hash database
sudo rkhunter --propupd
Update rkhunter's signature database
sudo rkhunter --update
Run a full scan
sudo rkhunter --check --sk
The --sk flag skips the keypress prompts between sections, giving you one continuous run. Results log to /var/log/rkhunter.log by default.
sudo grep -E '\[ (Warning|Found) \]' /var/log/rkhunter.log
Warnings are not automatic proof of infection. Common benign warnings include SSH configured with PermitRootLogin still set, or Perl libraries showing as hidden files. Read each warning in context. Genuine red flags: modified system binaries like /bin/ps or /usr/bin/who, unexpected SUID files, or listening ports that rkhunter has never seen before.
After a legitimate system update, rebuild the hash database so future runs don't flag updated binaries as suspicious:
sudo rkhunter --propupd
ClamAV
ClamAV shines at scanning specific directories or files for known malware. Update the signature database before every scan — stale definitions are nearly useless.
Update virus definitions
sudo systemctl stop clamav-freshclam
sudo freshclam
sudo systemctl start clamav-freshclam
On Fedora/RHEL the service may be named clamav-freshclam or managed via a timer. Check with systemctl list-units | grep clam.
Scan a directory
sudo clamscan -r --infected --remove=no /home /tmp /var/tmp /root
-r— recursive--infected— only print infected files--remove=no— never auto-delete without reviewing first
Scan the entire filesystem cautiously; exclude /proc, /sys, and /dev to avoid false hits and stalls:
sudo clamscan -r --infected --remove=no \
--exclude-dir='^/proc' \
--exclude-dir='^/sys' \
--exclude-dir='^/dev' \
/
A full-system scan on a populated disk takes time. Run it in a tmux or screen session, or redirect output to a log file with --log=/var/log/clamav-scan.log.
Lynis
Lynis is an auditor, not just a scanner. It reviews hundreds of security controls and produces a hardening index score. Run it as root for a complete picture.
sudo lynis audit system
The report goes to /var/log/lynis.log and a shorter report to /var/log/lynis-report.dat. The terminal output ends with a Hardening index score out of 100 and a list of suggestions sorted by severity.
Pay attention to sections labeled Warning over Suggestion. Specific things to act on immediately:
- Running kernel differs from installed kernel — reboot after updates
- World-writable files in system paths
- Unowned files
- Processes running as root that shouldn't be
- SSH root login or empty password authentication enabled
sudo grep Warning /var/log/lynis.log
Verification and Establishing a Routine
One-time scans are less valuable than regular, automated ones. Set up weekly scans with systemd timers or cron.
Example: weekly rkhunter scan via cron
sudo crontab -e
# Run rkhunter every Sunday at 03:00, email results
0 3 * * 0 /usr/bin/rkhunter --check --sk --report-warnings-only | mail -s "rkhunter weekly: $(hostname)" root
Make sure mail or sendmail is configured, or redirect to a log file if you prefer. For ClamAV, freshclam can run on its own systemd timer — verify it's active:
systemctl status clamav-freshclam
Check for unexpected listening services right now
sudo ss -tlnp
sudo ss -ulnp
Compare this against what you expect. Any unknown PID in the output warrants ps aux | grep <pid> and potentially ls -la /proc/<pid>/exe to identify the binary.
Troubleshooting
- rkhunter reports many warnings after an OS update — run
sudo rkhunter --propupdimmediately after package upgrades. Integrate it into your update workflow. - freshclam fails with "locked by another process" — stop the freshclam service before running it manually:
sudo systemctl stop clamav-freshclam. - chkrootkit shows INFECTED for
bindshell— this tests whether a specific port is listening. It can be triggered by legitimate services. Confirm withsudo ss -tlnp | grep <port>and identify the process. - Lynis score seems low on a fresh install — that's normal. A default install of any distro scores in the 55–65 range. The suggestions are your hardening roadmap, not a sign something is wrong.
- Suspicious file found but unsure — check its hash against VirusTotal, inspect it with
strings, and look atlsofto see if any process has it open. Never run an unknown binary to "see what it does."
Frequently asked questions
- Can a rootkit hide itself from chkrootkit and rkhunter?
- Yes. Both tools run in userspace. A kernel-level rootkit that intercepts system calls can return falsified data to any userspace scanner. For forensic certainty on a suspected host, boot from a trusted live USB and scan the filesystem offline.
- How often should I run these scans?
- Weekly automated rkhunter and ClamAV scans are a reasonable baseline for internet-facing servers. Run Lynis after major configuration changes or OS upgrades. Run all tools manually whenever you observe anomalous behavior.
- Do I need all four tools or will one suffice?
- Each covers different ground. chkrootkit and rkhunter focus on rootkit signatures, ClamAV covers known malware file signatures, and Lynis audits configuration. Using all four gives the broadest coverage with minimal overhead.
- rkhunter flagged /usr/bin/who as changed — is my system compromised?
- Not necessarily. System updates change binaries legitimately. If the change happened right after a package update, run sudo rkhunter --propupd to update the baseline. If it changed without a corresponding update, investigate seriously.
- Should I use --remove on clamscan to auto-delete infected files?
- No, not in routine scanning. False positives exist, and auto-deletion of system files can break services. Always review flagged files first. Quarantine or delete manually once you've confirmed the finding is genuine.
Related guides
Manage Secrets with Ansible Vault
Encrypt Ansible secrets with AES-256 using ansible-vault: encrypt files and inline vars, automate with password files, and isolate group-level secrets with vault IDs.
AppArmor Explained
Learn how AppArmor profiles work, how to switch between enforce and complain mode, create new profiles, and diagnose access denials on Ubuntu, Debian, and Arch.
Apply CIS Benchmarks with OpenSCAP
Use OpenSCAP and scap-security-guide to evaluate, report on, and remediate Linux systems against CIS Benchmarks — covering install, eval, and automation.
How to Audit a Linux System with auditd
Set up auditd on Linux to track file access, syscalls, and privilege use. Covers persistent rules, file watches, ausearch, and aureport across major distros.