Security Memo

Search (Ctrl+K)

SearchSearch

Recent Notes

See 1423 more sorted by tag →

removing Linux backdoors

created Jan 08, 2024updated Oct 02, 20243 min read

You can try to look for backdoors implanted in your Linux system using this guide. This is by no means a comprehensive list of things to look for or try.

This is not meant for general use

This guide is mostly meant for competitions like CCDC and CyberPatriot. If you think your device has been compromised, immediately turn off your device, make a backup of important data on the hard drive, then perform a full wipe and OS reinstallation. You should not be looking for the backdoor, as sophisticated backdoors are often very hard to locate and remove.

  • Look for unidentified SSH keys in /home/*/.ssh/authorized_keys and /root/.ssh/authorized_keys. You may also want to set PermitRootLogin no in /etc/ssh/sshd_config unless you absolutely need to enable root access over SSH (if so, use PermitRootLogin prohibit-password and use a strong algorithm, e.g., ED25519 or RSA4096).
  • Check enabled systemd unit files (e.g., services, timers) via sudo systemctl list-unit-files --state=enabled.
  • Check user crontabs in /var/spool/cron/crontabs. Be alarmed if you ever see a root crontab (you should be using systemd timers anyway).
  • Check system cron jobs in /etc/cron.{d,hourly,daily,weekly,montly} (ls /etc/cron*).
  • Manually inspect ~/.bashrc and profiles (also /etc/profile) for suspicious commands.
  • Check what processes are listening on ports using ss -tulpen (or netstat -tulpen).
  • Check what processes are listening on a specific port using lsof -i :$PORT.
  • Check the output of ps axjf and look for suspicious processes.
  • Verify package integrity (e.g., debsums).
  • Check for PAM config in /etc/pam.d for authentication bypass, special passwords, etc. Also pay attention to pam_exec.so which could execute external commands (e.g., leak passwords, etc).
  • Check /etc/passwd, /etc/shadow , and /etc/group for unauthorized sudoers, rogue root users (UID 0), and groups (GID 0).
  • Check sudoers file at /etc/sudoers and also look for overides in /etc/sudoers.d.
  • Look for suspicious setuid binaries via find / -perm -4000 -type f.
  • Look for suspicious file ACL using getfacl. If you have never used setfacl before, then the presence of any file ACL is a sign of compromise (unless it’s set by the system). ls also shows whether a file has ACL or not (via a checkmark IIRC).
  • Use tools such as LinPEAS and Lynis to enumerate/audit the system.
  • Use tools such as rkhunter to look for common rootkits. They are usually not very effective.
  • Sniff traffic that is leaving your computer and look for anything unusual while the computer is idle (e.g., suspected C2 traffic masquerading as absurdly large DNS queries/responses).
  • Look into /var/log/* for suspicious log entries/actions (might want to use some open-source tools to work with them).
  • Look for BPF programs (sudo bpftool prog list).

Graph View

Backlinks

  • No backlinks found