Remove Backdoor Account

TL;DR

Someone’s added a hidden user account to your system’s passwd file. This guide shows you how to find and remove it, then improve security.

Steps

1. Check the passwd File
   • Open the passwd file with a text editor as root (using sudo if necessary).
   • Look for unusual usernames or entries that don’t match legitimate users. Pay attention to user IDs (UIDs) and group IDs (GIDs). A backdoor account might have a UID/GID outside the normal range, or be named something suspicious.

   sudo nano /etc/passwd

2. Identify the Backdoor Account
   • Examine any suspect entries closely. Note the username, UID, GID, home directory, and shell.
   • Use the id command to check existing users:

   id 

   • If the account doesn’t appear in the output of id, it’s likely a backdoor account.
3. Remove the Account
   • Use the userdel command to remove the account. The `-r` flag removes the home directory and mail spool as well:

   sudo userdel -r 

   • If userdel fails (e.g., because of a locked account), you might need to manually edit the passwd file (see step 6).
4. Check the shadow File
   • The shadow file contains encrypted passwords. Remove the corresponding entry for the backdoor account from this file too. Open it with a text editor as root:

   sudo nano /etc/shadow

   • Find and delete the line associated with the username you removed in step 3. Be *extremely* careful when editing this file; incorrect changes can lock everyone out of the system!
5. Check for Cron Jobs
   • Backdoor accounts are sometimes used to run malicious cron jobs. Check the following locations:
   • /etc/crontab
   • Files in /var/spool/cron/crontabs/ (one file per user)
   • Files in /etc/cron.d/
   • Remove any cron jobs associated with the backdoor account. Use a text editor to modify these files as root.
6. Manual Removal (If Necessary)
   • If userdel fails, carefully edit /etc/passwd and /etc/shadow with a text editor as root.
   • Delete the lines corresponding to the backdoor account in both files. Double-check your work before saving! A single mistake can render your system unusable.
7. Review System Logs
   • Check system logs (e.g., /var/log/auth.log, /var/log/syslog) for any evidence of how the account was created or used. This can help you understand the extent of the compromise and identify other potential security issues.
8. Strengthen Security
   • Password Policies: Enforce strong password policies (minimum length, complexity).
   • Two-Factor Authentication: Enable two-factor authentication wherever possible.
   • Regular Audits: Regularly audit user accounts and system logs for suspicious activity.
   • Keep Software Updated: Ensure all software is up to date with the latest security patches.