View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions Using RKHunter on your Linode to scan for malicious software
Log in to Ask a Question

Using RKHunter on your Linode to scan for malicious software

security malicious malware rescue-mode rkhunter suspicious
Linode Staff

Linode recommends the use of RKHunter to scan your Linode for malicious software. This may be necessary in case you detect suspicious activity on your Linode.

To run an RKHunter scan on your Linode, you will first need to boot your Linode into Rescue Mode as described here:

Once you boot into Rescue Mode, you can then run the below set of commands to install and run RKHunter on your Linode. These commands assume that your Linode's root device is /dev/sda, so please edit and expand these mounting instructions as necessary depending on your Linode's configuration to ensure that the scan thoroughly covers all of your Linode's filesystems.

apt update
apt install rkhunter -y
sed -i 's/WEB_CMD="\/bin\/false"/#WEB_CMD="\/bin\/false"/' /etc/rkhunter.conf
sed -i 's/UPDATE_MIRRORS=0/UPDATE_MIRRORS=1/' /etc/rkhunter.conf
sed -i 's/MIRRORS_MODE=1/MIRRORS_MODE=0/' /etc/rkhunter.conf
sed -i '542 i USER_FILEPROP_FILES_DIRS=/media/sda/*' /etc/rkhunter.conf
mkdir -p /media/sda
mount -o barrier=0 /dev/sda /media/sda
rkhunter --update
rkhunter --propupd
rkhunter --check --sk

The last command will initiate the RKHunter scan, which will take several moments depending on the size of your Linode's disks.

After it is complete, RKHunter will store the results of its scan in /var/log/rkhunter.log. You will then need to review this log file to see what suspicious files RKHunter detected, taking appropriate action to remove them from your Linode using the rm commands (or comparable file deletion commands).

After performing these steps, you can resume the normal operations of your Linode by simply rebooting it from Cloud Manager. Your Linode will leave Rescue Mode and re-enter its usual operating environment.

6 Replies

Linode Staff

One thing I would like to add to the above post is that if you're running a cPanel instance, there is a slight variation to the commands. Instead, you will want to run the following:

apt update
apt install rkhunter -y
sed -i 's/WEB_CMD="\/bin\/false"/#WEB_CMD="\/bin\/false"/' /etc/rkhunter.conf
sed -i 's/UPDATE_MIRRORS=0/UPDATE_MIRRORS=1/' /etc/rkhunter.conf
sed -i 's/MIRRORS_MODE=1/MIRRORS_MODE=0/' /etc/rkhunter.conf
sed -i '542 i USER_FILEPROP_FILES_DIRS=/usr/local/cpanel/scripts/*' /etc/rkhunter.conf
mkdir -p /usr/local/cpanel/scripts
mount -o barrier=0 /dev/sda /usr/local/cpanel/scripts
rkhunter --update
rkhunter --propupd
rkhunter --check --sk

I'll add the disclaimer that I am not personally a cPanel user, but I did test this configuration with the Finnix image and was able to run RKHunter successfully on a Linode with cPanel installed.

Using the rescue mode, I was getting the following error:

Invalid SCRIPTWHITELIST configuration option: Non-existent pathname: /usr/bin/which.debianutils

I solved it by using vi /etc/rkhunter.conf and commenting out the line that said:

SCRIPTWHITELIST=/usr/bin/which.debianutils

I installed Rhunter and scanned the server.

but I couldn't connect to server in rescude mode.
How can I connect ? I've added my local ssh public to authorized_keys on server in rescude mode.

after scanning and detecting the malware, removing would be a good solution for future issues?
or it's better to reinstall the system and move projects to it?

but I couldn't connect to server in rescude mode.
How can I connect ? I've added my local ssh public to authorized_keys on server in rescude mode.

When you boot to Rescue Mode, you are not running your installed Linux distro. You are running a special memory-based distro called Finnix. The Rescue Mode distro doesn't have any networking support built in. The only way to interact with rescue mode is through the lish/glish console.

-- sw

Linode Staff

@parmonov98 -

@stevewi is correct that the Finnix environment does not have SSH enabled by default. The Lish Console will be the easiest way to connect to your Linode while in Rescue Mode.

However, it is possible to enable SSH access by following the steps in the Starting SSH section of the Rescue Mode guide.

You'll need to first establish a root password for the Finnix environment using the passwd command, and then enabling the SSH service using service ssh start. These commands would be run from the Lish console.

while performing the initial

apt update

I got an error about the public keys not being signed. This was resolved by:

`` sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys [the public key specified]

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct