Member-only story
How I Found a Hidden Backdoor User Account on My Ubuntu Server (And What I Did About It)
--
2
Share
Intro: Even hardened servers can get quietly compromised — and sometimes the attackers don’t leave obvious signs like running malware or sending outbound traffic. In this post, I’ll share how I uncovered a stealthy backdoor user account on one of my Ubuntu servers, and the exact steps I took to detect, investigate, and lock it down.
1. Why I Started Investigating
I noticed subtle things:
- Slightly higher CPU usage at night
- Random login activity in auth.log during odd hours
- No traceable cron job or SSH brute-force activity
Something didn’t add up.
2. The Audit Command That Uncovered the Suspicion
I ran this:
cut -d: -f1,3 /etc/passwd | sort -t: -k2 -n | less
This helped me spot a new user with a UID above 1000 that I never created — suspiciously named backupadmin.
3. Confirming Suspicious Activity
I checked recent logins:
lastlog | grep backupadmin
Top comments (0)