DEV Community

Faruk
Faruk

Posted on • Originally published at Medium

How I Found a Hidden Backdoor User Account on My Ubuntu Server (And What I Did About It) | by Faruk Ahmed | Jun, 2025

Member-only story

How I Found a Hidden Backdoor User Account on My Ubuntu Server (And What I Did About It)

--

2

Share

Intro: Even hardened servers can get quietly compromised — and sometimes the attackers don’t leave obvious signs like running malware or sending outbound traffic. In this post, I’ll share how I uncovered a stealthy backdoor user account on one of my Ubuntu servers, and the exact steps I took to detect, investigate, and lock it down.

1. Why I Started Investigating

I noticed subtle things:

  • Slightly higher CPU usage at night
  • Random login activity in auth.log during odd hours
  • No traceable cron job or SSH brute-force activity

Something didn’t add up.

2. The Audit Command That Uncovered the Suspicion

I ran this:

cut -d: -f1,3 /etc/passwd | sort -t: -k2 -n | less
Enter fullscreen mode Exit fullscreen mode

This helped me spot a new user with a UID above 1000 that I never created — suspiciously named backupadmin.

3. Confirming Suspicious Activity

I checked recent logins:

lastlog | grep backupadmin
Enter fullscreen mode Exit fullscreen mode

👉 Read Full Blog on Medium Here

Top comments (0)