How to Check for Rootkits

Prerequisites

Before scanning for rootkits, make sure you have:

• SSH access to your VPS
• Root or sudo privileges

Method 1: Install and Run rkhunter

Connect to your VPS:

ssh hxroot@YOUR_SERVER_IP -p 22

sudo apt update
sudo apt install rkhunter -y

Update rkhunter database:

sudo rkhunter --update

Run scan:

sudo rkhunter --check

Skip prompts for automated scanning:

sudo rkhunter --check --skip-keypress

Method 2: Install and Run chkrootkit

sudo apt install chkrootkit -y

sudo chkrootkit

Method 3: Install and Run ClamAV (Virus Scanner)

sudo apt install clamav clamav-daemon -y
sudo freshclam  # Update virus definitions
sudo clamscan -r / --exclude-dir=/proc --exclude-dir=/sys --exclude-dir=/dev --quiet --infected

Method 4: Check for Suspicious Processes

ps aux | awk '$3>10.0'  # Processes using >10% CPU
ps aux | grep -E "./|.py|.pl|.sh"  # Suspicious scripts

Method 5: Check for Unauthorized SSH Keys

find /home -name "authorized_keys" -exec cat {} ;

Method 6: Check for Suspicious Cron Jobs

for user in $(cut -f1 -d: /etc/passwd); do echo "=== $user ==="; crontab -u $user -l 2>/dev/null; done

Method 7: Check for Hidden Processes (unhide)

sudo apt install unhide -y
sudo unhide proc

Schedule Weekly Rootkit Scans

sudo crontab -e

Add:

0 4 * * 0 /usr/bin/rkhunter --check --skip-keypress --report-warnings-only | mail -s "Rootkit Scan $(hostname)" admin@example.com