You can try to look for backdoors implanted in your Linux system using this guide. This is by no means a comprehensive list of things to look for or try.
This is not meant for general use
This guide is mostly meant for competitions like CCDC and CyberPatriot. If you think your device has been compromised, immediately turn off your device, make a backup of important data on the hard drive, then perform a full wipe and OS reinstallation. You should not be looking for the backdoor, as sophisticated backdoors are often very hard to locate and remove.
- Look for unidentified SSH keys in
/home/*/.ssh/authorized_keys
and/root/.ssh/authorized_keys
. You may also want to setPermitRootLogin no
in/etc/ssh/sshd_config
unless you absolutely need to enable root access over SSH (if so, usePermitRootLogin prohibit-password
and use a strong algorithm, e.g., ED25519 or RSA4096). - Check enabled systemd unit files (e.g., services, timers) via
sudo systemctl list-unit-files --state=enabled
. - Check user crontabs in
/var/spool/cron/crontabs
. Be alarmed if you ever see a root crontab (you should be using systemd timers anyway). - Check system cron jobs in
/etc/cron.{d,hourly,daily,weekly,montly}
(ls /etc/cron*
). - Manually inspect
~/.bashrc
and profiles (also/etc/profile
) for suspicious commands. - Check what processes are listening on ports using
ss -tulpen
(ornetstat -tulpen
). - Check what processes are listening on a specific port using
lsof -i :$PORT
. - Check the output of
ps axjf
and look for suspicious processes. - Verify package integrity (e.g.,
debsums
). - Check for PAM config in
/etc/pam.d
for authentication bypass, special passwords, etc. Also pay attention topam_exec.so
which could execute external commands (e.g., leak passwords, etc). - Check
/etc/passwd
,/etc/shadow
, and/etc/group
for unauthorized sudoers, rogue root users (UID 0), and groups (GID 0). - Check sudoers file at
/etc/sudoers
and also look for overides in/etc/sudoers.d
. - Look for suspicious setuid binaries via
find / -perm -4000 -type f
. - Look for suspicious file ACL using
getfacl
. If you have never usedsetfacl
before, then the presence of any file ACL is a sign of compromise (unless it’s set by the system).ls
also shows whether a file has ACL or not (via a checkmark IIRC). - Use tools such as LinPEAS and Lynis to enumerate/audit the system.
- Use tools such as rkhunter to look for common rootkits. They are usually not very effective.
- Sniff traffic that is leaving your computer and look for anything unusual while the computer is idle (e.g., suspected C2 traffic masquerading as absurdly large DNS queries/responses).
- Look into
/var/log/*
for suspicious log entries/actions (might want to use some open-source tools to work with them). - Look for BPF programs (
sudo bpftool prog list
).