DEV Community

Faruk
Faruk

Posted on • Originally published at Medium

Why I Always Check /etc/sudoers.d on a Compromised Linux Server | by Faruk Ahmed | Jun, 2025

Member-only story

Why I Always Check /etc/sudoers.d on a Compromised Linux Server

--

Share

Intro: You’ve isolated the server. You’ve grabbed the logs. You’re scanning for malware. But if you skip checking the sudoers.d directory, you might miss the real backdoor. In this post, I’ll explain why attackers love /etc/sudoers.d, how they use it to persist silently, and what I do to catch and clean it up.

1. Why /etc/sudoers.d Is So Dangerous

Unlike the main /etc/sudoers file, which is usually locked down and audited, the sudoers.d directory is often overlooked. Any file placed there with relaxed rules can silently grant root privileges — without changing the main sudo configuration.

✅ What attackers do: They drop a file like /etc/sudoers.d/xyz with a line like:

hackeruser ALL=(ALL) NOPASSWD:ALL
Enter fullscreen mode Exit fullscreen mode

This gives their user full sudo access without a password — even after reboots.

2. How I Audit This Directory

Run:

sudo ls -l /etc/sudoers.d/
Enter fullscreen mode Exit fullscreen mode

Then inspect each file’s content:

sudo cat /etc/sudoers.d/<filename>
Enter fullscreen mode Exit fullscreen mode

Look for:

  • Unknown usernames

👉 Read Full Blog on Medium Here

Top comments (0)