$linuxjunkies
>

Detect Rootkits and Malware on Linux

Use chkrootkit, rkhunter, ClamAV, and Lynis to scan a Linux system for rootkits and malware — what each tool actually checks and how to read the results.

IntermediateUbuntuDebianFedoraArch10 min readUpdated June 7, 2026

Before you start

  • Root or sudo access on the target system
  • Internet access to download packages and update signatures
  • Basic familiarity with reading terminal output and log files

Rootkits and malware on Linux are rare but not mythical. Shared hosting environments, exposed SSH ports, outdated kernel modules, and compromised supply chains are real attack surfaces. These tools won't replace a solid prevention posture, but they give you eyes on what's already running — and on a compromised system, that matters. Here's how to use the four most widely deployed scanning tools, what they actually check, and how to interpret their output honestly.

What These Tools Actually Do

Before running anything, understand the limitations:

  • chkrootkit — compares binaries and running processes against known rootkit signatures. It runs in userspace, so a sophisticated rootkit that has already compromised system calls can fool it.
  • rkhunter — similar signature approach but broader: checks file hashes, hidden files, suspicious strings in binaries, and network ports. Also userspace-only.
  • ClamAV — antivirus engine primarily targeting known malware by signature. More useful for scanning file repositories, mail servers, or files of unknown origin than for detecting live rootkits.
  • Lynis — a security auditing tool, not strictly a malware scanner. It audits system configuration, packages, and hardening posture and can flag conditions that indicate compromise.

The honest rule: if your kernel is compromised, no userspace scanner is fully trustworthy. For high-stakes forensics, boot from a clean live USB and scan offline. For routine monitoring these tools are valuable and practical.

Install the Tools

Debian / Ubuntu

sudo apt update
sudo apt install chkrootkit rkhunter clamav clamav-daemon lynis

Fedora / RHEL / Rocky

chkrootkit and rkhunter are in EPEL. Enable it first if needed.

sudo dnf install epel-release   # Fedora skips this step
sudo dnf install chkrootkit rkhunter clamav clamav-update lynis

Arch Linux

sudo pacman -S rkhunter clamav lynis
yay -S chkrootkit   # AUR

chkrootkit

chkrootkit is fast and simple. Run it as root; it executes a series of shell-based tests against common rootkit behavior patterns.

sudo chkrootkit

Output is line-by-line per test. You're looking for INFECTED in the results. not found means the rootkit pattern wasn't detected; not tested means the test wasn't applicable.

A known false positive on many modern kernels: the packet sniffer test will flag any active network interface in promiscuous mode, which is normal for virtualized hosts and some VPN configurations. Confirm with:

ip link show | grep PROMISC

If only your VPN or bridge interface appears, it's expected. If eth0 or your primary NIC is flagged without explanation, investigate further.

rkhunter

rkhunter needs an initial baseline before it can detect changes. If you're installing it on a system you already suspect is compromised, the baseline itself is untrustworthy — scan from a live environment instead.

Build the initial file hash database

sudo rkhunter --propupd

Update rkhunter's signature database

sudo rkhunter --update

Run a full scan

sudo rkhunter --check --sk

The --sk flag skips the keypress prompts between sections, giving you one continuous run. Results log to /var/log/rkhunter.log by default.

sudo grep -E '\[ (Warning|Found) \]' /var/log/rkhunter.log

Warnings are not automatic proof of infection. Common benign warnings include SSH configured with PermitRootLogin still set, or Perl libraries showing as hidden files. Read each warning in context. Genuine red flags: modified system binaries like /bin/ps or /usr/bin/who, unexpected SUID files, or listening ports that rkhunter has never seen before.

After a legitimate system update, rebuild the hash database so future runs don't flag updated binaries as suspicious:

sudo rkhunter --propupd

ClamAV

ClamAV shines at scanning specific directories or files for known malware. Update the signature database before every scan — stale definitions are nearly useless.

Update virus definitions

sudo systemctl stop clamav-freshclam
sudo freshclam
sudo systemctl start clamav-freshclam

On Fedora/RHEL the service may be named clamav-freshclam or managed via a timer. Check with systemctl list-units | grep clam.

Scan a directory

sudo clamscan -r --infected --remove=no /home /tmp /var/tmp /root
  • -r — recursive
  • --infected — only print infected files
  • --remove=no — never auto-delete without reviewing first

Scan the entire filesystem cautiously; exclude /proc, /sys, and /dev to avoid false hits and stalls:

sudo clamscan -r --infected --remove=no \
  --exclude-dir='^/proc' \
  --exclude-dir='^/sys' \
  --exclude-dir='^/dev' \
  /

A full-system scan on a populated disk takes time. Run it in a tmux or screen session, or redirect output to a log file with --log=/var/log/clamav-scan.log.

Lynis

Lynis is an auditor, not just a scanner. It reviews hundreds of security controls and produces a hardening index score. Run it as root for a complete picture.

sudo lynis audit system

The report goes to /var/log/lynis.log and a shorter report to /var/log/lynis-report.dat. The terminal output ends with a Hardening index score out of 100 and a list of suggestions sorted by severity.

Pay attention to sections labeled Warning over Suggestion. Specific things to act on immediately:

  • Running kernel differs from installed kernel — reboot after updates
  • World-writable files in system paths
  • Unowned files
  • Processes running as root that shouldn't be
  • SSH root login or empty password authentication enabled
sudo grep Warning /var/log/lynis.log

Verification and Establishing a Routine

One-time scans are less valuable than regular, automated ones. Set up weekly scans with systemd timers or cron.

Example: weekly rkhunter scan via cron

sudo crontab -e
# Run rkhunter every Sunday at 03:00, email results
0 3 * * 0 /usr/bin/rkhunter --check --sk --report-warnings-only | mail -s "rkhunter weekly: $(hostname)" root

Make sure mail or sendmail is configured, or redirect to a log file if you prefer. For ClamAV, freshclam can run on its own systemd timer — verify it's active:

systemctl status clamav-freshclam

Check for unexpected listening services right now

sudo ss -tlnp
sudo ss -ulnp

Compare this against what you expect. Any unknown PID in the output warrants ps aux | grep <pid> and potentially ls -la /proc/<pid>/exe to identify the binary.

Troubleshooting

  • rkhunter reports many warnings after an OS update — run sudo rkhunter --propupd immediately after package upgrades. Integrate it into your update workflow.
  • freshclam fails with "locked by another process" — stop the freshclam service before running it manually: sudo systemctl stop clamav-freshclam.
  • chkrootkit shows INFECTED for bindshell — this tests whether a specific port is listening. It can be triggered by legitimate services. Confirm with sudo ss -tlnp | grep <port> and identify the process.
  • Lynis score seems low on a fresh install — that's normal. A default install of any distro scores in the 55–65 range. The suggestions are your hardening roadmap, not a sign something is wrong.
  • Suspicious file found but unsure — check its hash against VirusTotal, inspect it with strings, and look at lsof to see if any process has it open. Never run an unknown binary to "see what it does."
tested on:Ubuntu 24.04Debian 12Fedora 41Arch rolling

Frequently asked questions

Can a rootkit hide itself from chkrootkit and rkhunter?
Yes. Both tools run in userspace. A kernel-level rootkit that intercepts system calls can return falsified data to any userspace scanner. For forensic certainty on a suspected host, boot from a trusted live USB and scan the filesystem offline.
How often should I run these scans?
Weekly automated rkhunter and ClamAV scans are a reasonable baseline for internet-facing servers. Run Lynis after major configuration changes or OS upgrades. Run all tools manually whenever you observe anomalous behavior.
Do I need all four tools or will one suffice?
Each covers different ground. chkrootkit and rkhunter focus on rootkit signatures, ClamAV covers known malware file signatures, and Lynis audits configuration. Using all four gives the broadest coverage with minimal overhead.
rkhunter flagged /usr/bin/who as changed — is my system compromised?
Not necessarily. System updates change binaries legitimately. If the change happened right after a package update, run sudo rkhunter --propupd to update the baseline. If it changed without a corresponding update, investigate seriously.
Should I use --remove on clamscan to auto-delete infected files?
No, not in routine scanning. False positives exist, and auto-deletion of system files can break services. Always review flagged files first. Quarantine or delete manually once you've confirmed the finding is genuine.

Related guides