Backdoors in systems can take many forms - from hidden administrator accounts to scheduled tasks running malicious scripts. When inheriting a network infrastructure, assume nothing is trustworthy until verified. The most common backdoor vectors include:
- SSH authorized_keys with unknown public keys
- Cron jobs or scheduled tasks running obscure scripts
- Obscure services listening on non-standard ports
- Modified sudoers files with excessive privileges
- Setuid binaries with unexpected functionality
Start with a thorough examination of user accounts and authentication mechanisms:
# Check for hidden user accounts
awk -F: '($3 < 1000) {print $1}' /etc/passwd
# Verify SSH authorized keys
for user in $(ls /home); do
echo "Checking $user:";
cat /home/$user/.ssh/authorized_keys 2>/dev/null;
done
# Audit sudoers configuration
visudo -c
Examine all listening services and their configurations:
# List all listening ports and associated processes
sudo netstat -tulnp
# Detailed service inspection (Linux)
systemctl list-units --type=service --all
# Windows equivalent
Get-Service | Where-Object {$_.Status -eq "Running"}
Create a script to monitor for suspicious activities:
#!/bin/bash
# Backdoor detection script
LOG_FILE="/var/log/backdoor_audit.log"
# Check for setuid binaries
echo "[$(date)] Checking setuid binaries" >> $LOG_FILE
find / -perm -4000 -type f -exec ls -la {} \; 2>/dev/null >> $LOG_FILE
# Verify crontab entries
echo "[$(date)] Checking cron jobs" >> $LOG_FILE
for user in $(cut -f1 -d: /etc/passwd); do
crontab -u $user -l 2>/dev/null >> $LOG_FILE;
done
When you find potential backdoors:
- Document everything with timestamps
- Isolate affected systems from the network
- Rotate all credentials (SSH keys, database passwords, etc.)
- Rebuild compromised systems from known-good backups
- Implement continuous monitoring
After cleaning up, establish safeguards:
# Sample intrusion detection rule (Snort)
alert tcp any any -> $HOME_NET 22 (msg:"Possible SSH backdoor attempt";
content:"admin"; nocase; sid:1000001; rev:1;)
# Linux auditd rule for critical files
-w /etc/passwd -p wa -k user_accounts
-w /etc/sudoers -p wa -k privilege_escalation
When taking over system administration from a previous IT team, especially under contentious circumstances, backdoor detection should be your top priority. These hidden access points can range from simple SSH keys to sophisticated rootkits.
Start with comprehensive network scanning using tools like Nmap:
# Scan for open ports and services
nmap -sS -sV -O -T4 -p- target_ip
# Check for unusual listening ports
netstat -tulnp
Examine all user accounts, especially those with elevated privileges:
# List all users with UID 0 (root equivalent)
awk -F: '($3 == "0") {print}' /etc/passwd
# Check sudoers file for unusual entries
cat /etc/sudoers | grep -v "^#"
Unauthorized SSH keys are common backdoors:
# Check authorized_keys files
find / -name "authorized_keys" -exec ls -la {} \;
# Verify SSH config for unusual settings
cat /etc/ssh/sshd_config | grep -v "^#"
Malicious cron jobs can maintain persistence:
# List all cron jobs for all users
for user in $(cut -f1 -d: /etc/passwd); do crontab -u $user -l; done
Implement real-time monitoring for critical files:
# Basic tripwire-like functionality
find /bin /sbin /usr/bin /usr/sbin -type f -exec md5sum {} \; > /root/bin_checksums.md5
Check for malicious kernel modules:
# List loaded kernel modules
lsmod
# Verify module signatures
for module in $(ls /lib/modules/$(uname -r)/kernel); do
modinfo $module | grep signature
done
Consider using specialized tools:
- Lynis for system hardening checks
- Rkhunter for rootkit detection
- Chkrootkit for common rootkit signatures
After cleanup, implement these security practices:
# Example: Harden SSH configuration
echo "PermitRootLogin no" >> /etc/ssh/sshd_config
echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
systemctl restart sshd