[1] It does this by comparing SHA-1 hashes of important files with known good ones in online databases, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules, and special tests for Linux and FreeBSD.

rkhunter is notable due to its inclusion in popular operating systems (Fedora,[2] Debian,[3] etc.)

The tool has been written in Bourne shell, to allow for portability.

In 2003, developer Michael Boelen released the version of Rootkit Hunter.

Since that time eight people have been working to set up the project properly and work towards the much-needed maintenance release.