Suspect Files Warning

This how to helps you to learn to deal with rkhunter suspect files warning. Rkhunter could for example report suspect files after a software update, but also in case of a materialization of the cyber risks you are facing. 

rkhunter Suspect Files

rkhunter Suspect Files Warning

Index Of How To rkhunter Suspect Files Warning


This how to assumes that you received a notification of suspect files by rkhunter or you found this in rkhunter‘s logfile. In the logfile it could look like this:

[06:27:41] System checks summary
[06:27:41] =====================
[06:27:41] File properties checks...
[06:27:41] Files checked: 144
[06:27:41] Suspect files: 5

Alternatively, if you have activated email notifications, you maybe received an email that potentially could look like this

rkhunter spspect files

rkhunter spspect files

How To rkhunter Suspect Files Warning

Receiving rkhunter messages like the above is a typical scenario after for example Debian automatically updated the operating system. Nevertheless, since rkhunter is a portion of your cyberdefense, you should better verify. To do so, this how to guides you thru an example how you can do this.

Check Logfiles

First of all, you like to check your logfile to find out whether indeed there was an operating systems update. Debian Linux auto updates are typically stored in the history.log. Simply read it and you will find out whether there was recently an update. Running the below command

more /var/log/apt/history.log

The outcome could for example look like this:
Start-Date: 2023-03-25  04:49:46
Commandline: /usr/bin/apt-get -o quiet=1 dist-upgrade -y -o APT::Get::Show-Upgraded=true
Upgrade: tzdata:amd64 (2021a-0+deb10u8, 2021a-0+deb10u10)
End-Date: 2023-03-25  04:49:48

Start-Date: 2023-03-30  04:19:26
Commandline: /usr/bin/apt-get -o quiet=1 dist-upgrade -y -o APT::Get::Show-Upgraded=true
Upgrade: libunbound8:amd64 (1.9.0-2+deb10u2, 1.9.0-2+deb10u3)
End-Date: 2023-03-30  04:19:27

Start-Date: 2023-03-31  04:17:52
Commandline: /usr/bin/apt-get -o quiet=1 dist-upgrade -y -o APT::Get::Show-Upgraded=true
Upgrade: libsystemd0:amd64 (241-7~deb10u8, 241-7~deb10u9), udev:amd64 (241-7~deb10u8, 241-7~deb10u9), libmicrohttpd12:amd64 (0.9.62-
1, 0.9.62-1+deb10u1), libudev1:amd64 (241-7~deb10u8, 241-7~deb10u9), systemd-sysv:amd64 (241-7~deb10u8, 241-7~deb10u9), libmicrohttp
d-dev:amd64 (0.9.62-1, 0.9.62-1+deb10u1), libpam-systemd:amd64 (241-7~deb10u8, 241-7~deb10u9), systemd:amd64 (241-7~deb10u8, 241-7~d
eb10u9), libnss-systemd:amd64 (241-7~deb10u8, 241-7~deb10u9)
End-Date: 2023-03-31  04:18:15

With this information in hand, you are in a good position to compare now to rkhunter logs / email notification. Keep the window with this open move to the next chapter „Check rkhunter Log“

Check rkhunter Log

Best is to open a new terminal window. This allows to compare the logs of the above and what is in the log of khunter. Run the following command:

cat rkhunter.log | grep Warning

This should output something like the below:
[06:27:06]   /usr/sbin/init                                  [ Warning ]
[06:27:07] Warning: The file properties have changed:
[06:27:08]   /usr/sbin/runlevel                              [ Warning ]
[06:27:08] Warning: The file properties have changed:
[06:27:24]   /usr/bin/systemd                                [ Warning ]
[06:27:24] Warning: The file properties have changed:
[06:27:24]   /usr/bin/systemctl                              [ Warning ]
[06:27:24] Warning: The file properties have changed:
[06:27:27]   /usr/lib/systemd/systemd                        [ Warning ]
[06:27:27] Warning: The file properties have changed:

Having this in hand now, you can compare the two logfiles for items that match.


The two above log files can now be compared. If you opened them in two different terminal windows, than this might be more easy. In the two above, as an example, its pretty easy to identify that for example „systemd“ was updated. Looking into the rkhunter.log systemd can be found too. This is a good hit!

What does it mean? Basically, Debian has updated systemd and therefore most likely the hash value of the systemd file changed. rkhunter has found this out and prints a warning. This is perfect! If however you cannot find any indication of updates being made, than you potentially indeed have a security issue. In this case, you should more deep dive analyse your system!

Fix The rkhunter Warning

To fix the rkhunter Warning, you need to update the rkhunter database. I recommend to do this together with updating rkhunter itself. to do so, run the following command:

rkhunter --update --propupd

Additional Information

There are various sources in the internet that allow you to further deep dive into the rkhunter specifics. In the below you find some links that maybe help you:

  • Rkhunter Linux man page – man page including rkhunter description and command options
  • Debian Linux rkhunter man page – specific Debian Linux man page about rkhunter 

Follow me

It would be amazing if you follow my To my blog is actually easy! You can leverage on

  • Click to follow me on Twitter
  • Bookmark this page and comeback from time to time

Help and Comments

I am really looking forward for you to contact me if for example you found a better option or other idea then in this how to. Also, please touch base if you found an error or anything not working or if you have something that you would love to be added to the Simply click this link to touch base with me.

Linking Or Recommending The How To Or The

I would love to see you are recommending this how to or link it to your website. Also, I would love if you link or recommend the whole Please feel free to do so! In case you like to touch base regarding this topic with me, then simply click this link. I look forward!