To run your scan, use the -c option. (That's -c for check.) Be patient, because it will take a while:

sudo rkhunter -c

When you run the scan in this manner, Rootkit Hunter will periodically stop and ask you to hit the Enter key to continue. When the scan completes, you'll find a rkhunter.log file in the /var/log directory.

To have Rootkit Hunter automatically run as a cron job, you'll want to use the --cronjob option, which will cause the program to run all the way through without prompting you to keep hitting the Enter key. You might also want to use the --rwo option, which will cause the program to only report warnings, instead of also reporting on everything that's good. From the command line, the command would look like this:

sudo rkhunter -c --cronjob --rwo

To create a cron job that will automatically run Rootkit Hunter on a nightly basis, open the crontab editor for the root user:

sudo crontab -e -u root

Let's say that you want to run Rootkit Hunter every night at 20 minutes past 10. Enter this into the crontab editor:

20 22 * * * /usr/bin/rkhunter -c --cronjob --rwo

Since cron only works with 24-hour clock time, you'll have to express 10:00 P.M. as 22. (Just add 12 to the normal P.M. clock times that you're used to using.) The three asterisks mean that the job will run every day of the month, every month of the year, and every day of the week, respectively. You'll need to list the entire path for the command; otherwise, cron won't be able to find it.

You'll find more options that might interest you in the rkhunter man page, but this should be enough to get you going with it.

Next, let's look at a couple of quick techniques for analyzing malware.