Member-only story
7 Hidden Backdoors I’ve Found on Compromised Linux Servers (And How to Remove Them)
--
1
Share
Intro:
Not all intrusions are loud. Some attackers sneak in, plant a backdoor, and leave — waiting for the perfect moment to return. During incident response on several Linux servers, I’ve found clever persistence mechanisms that most admins overlook. In this post, I’ll walk through seven backdoors I’ve personally discovered — and how to detect and eliminate them from your system.
1. SSH Keys Added to ~/.ssh/authorized_keys
Attackers often add their public key to existing users, especially root.
🔍 Check:
grep -r "" /root/.ssh/authorized_keys /home/*/.ssh/authorized_keys 2>/dev/null
🛠 Fix:
- Remove unknown keys.
- Rotate legitimate keys.
- Restrict SSH to known IPs using AllowUsers or Match Address.
2. Malicious Cron Jobs
Hidden jobs run malware every minute/hour.
🔍 Check:
for user in $(cut -f1 -d: /etc/passwd); do crontab -u $user -l 2>/dev/null; donesudo cat /etc/crontabsudo ls -al /etc/cron.*/*
Top comments (0)