I made an animated gif showing what happens when rkhunter is run. ** **Unfortunately the gif is too large to post and hotlinking to 'my files' on Opera website is, as far as I know, forbidden. Info taken from rkh wiki:- http://rkhunter.wiki.sourceforge.net/MPRKH?token=c27c108089f0ad3a69632511cffb61e0 These are the commands used:- sudo rkhunter -- propupd (Means update your system file properties. This is a necessary step to establish a foundation database file to compare scans.) Must be run before scan. sudo rkhunter --update (The update command requires net access. It is highly recommended that no net access is allowed until you have completed the PROPUPD command. So the correct order is propupd and then update commmands. Updates are very infrequent)) Then the scan:- sudo rkhunter -c -sk If you get Warnings re. hidden directories/files found, and you are sure they are false positives, then uncomment them in etc/rkhunter.conf (as root) eg. Warning: Hidden directory found: /dev/.udev ALLOWHIDDENDIR=/dev/.udev (remove the hash # before ALLOWHIDDENDIR) I had to allow this one - it is a known 'false positve' ALLOWDEVFILE=/dev/shm/pulse-shm-* I have just tried this for the second time, fortunately all is OK, but I think it would be 'tickets' if a rootkit was found i.e. - reinstall.