Operating Systems/Linux/Ubuntu/Ubuntu 16.04 LTS/Malware-Backdoors

Backdoors

Netstat

Netstat lets you see which ports are being used by which programs. This is valuable because backdoors may be waiting for a remote hacker to connect to it on your computer.

1. Install netstat with sudo apt install net-tools
2. sudo netstat -tlnp to run netstat.
   • sudo is required to see the name of all processes using each port
   • -t only shows processes using tcp, which is common for backdoors
   • -l only shows listening processes, which backdoors will most likely be doing
   • -n shows each process's address
   • -p displays the process's name
3. If you find a process you don't recognize (cupsd and sshd are safe), first Google (or DuckDuckGo) the name to see if it seems like a regular linux thing, or something related to the CyberPatriot competition
4. If it seems potentially dangerous, use a program called htop to inspect or kill it.
   • sudo apt install htop
   • htop
   • press '/' to start searching for a process, and type in the process name you're suspicious of.
   • the command column will tell you where the program or script is located on your computer. This may be useful if a forensics question asks you to locate a backdoor.
   • After any forensics question, try to stop the process if you're confidant that it's a malicious program. leave htop (ctrl-c) and run kill <process>. If you lose point, try to figure out how to start the process again. If you don't lose points you can remove the program or script from the location found with htop, using sudo rm <program path>