Using RKHunter on your Linode to scan for malicious software

Linode Staff

Linode recommends the use of RKHunter to scan your Linode for malicious software. This may be necessary in case you detect suspicious activity on your Linode.

To run an RKHunter scan on your Linode, you will first need to boot your Linode into Rescue Mode as described here:

Once you boot into Rescue Mode, you can then run the below set of commands to install and run RKHunter on your Linode. These commands assume that your Linode's root device is /dev/sda, so please edit and expand these mounting instructions as necessary depending on your Linode's configuration to ensure that the scan thoroughly covers all of your Linode's filesystems.

apt update
apt install rkhunter -y
sed -i 's/WEB_CMD="\/bin\/false"/#WEB_CMD="\/bin\/false"/' /etc/rkhunter.conf
sed -i 's/UPDATE_MIRRORS=0/UPDATE_MIRRORS=1/' /etc/rkhunter.conf
sed -i 's/MIRRORS_MODE=1/MIRRORS_MODE=0/' /etc/rkhunter.conf
sed -i '542 i USER_FILEPROP_FILES_DIRS=/media/sda/*' /etc/rkhunter.conf
mkdir -p /media/sda
mount -o barrier=0 /dev/sda /media/sda
rkhunter --update
rkhunter --propupd
rkhunter --check --sk

The last command will initiate the RKHunter scan, which will take several moments depending on the size of your Linode's disks.

After it is complete, RKHunter will store the results of its scan in /var/log/rkhunter.log. You will then need to review this log file to see what suspicious files RKHunter detected, taking appropriate action to remove them from your Linode using the rm commands (or comparable file deletion commands).

After performing these steps, you can resume the normal operations of your Linode by simply rebooting it from Cloud Manager. Your Linode will leave Rescue Mode and re-enter its usual operating environment.

2 Replies

One thing I would like to add to the above post is that if you're running a cPanel instance, there is a slight variation to the commands. Instead, you will want to run the following:

apt update
apt install rkhunter -y
sed -i 's/WEB_CMD="\/bin\/false"/#WEB_CMD="\/bin\/false"/' /etc/rkhunter.conf
sed -i 's/UPDATE_MIRRORS=0/UPDATE_MIRRORS=1/' /etc/rkhunter.conf
sed -i 's/MIRRORS_MODE=1/MIRRORS_MODE=0/' /etc/rkhunter.conf
sed -i '542 i USER_FILEPROP_FILES_DIRS=/usr/local/cpanel/scripts/*' /etc/rkhunter.conf
mkdir -p /usr/local/cpanel/scripts
mount -o barrier=0 /dev/sda /usr/local/cpanel/scripts
rkhunter --update
rkhunter --propupd
rkhunter --check --sk

I'll add the disclaimer that I am not personally a cPanel user, but I did test this configuration with the Finnix image and was able to run RKHunter successfully on a Linode with cPanel installed.

Using the rescue mode, I was getting the following error:

Invalid SCRIPTWHITELIST configuration option: Non-existent pathname: /usr/bin/which.debianutils

I solved it by using vi /etc/rkhunter.conf and commenting out the line that said:

SCRIPTWHITELIST=/usr/bin/which.debianutils

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct