current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
Information Security Stack Exchange is a question and answer site for information security professionals. Join them; it only takes a minute:

Sign up
Here's how it works:
  1. Anybody can ask a question
  2. Anybody can answer
  3. The best answers are voted up and rise to the top
up vote 18 down vote favorite
4

Long story short I was making sure a web app didn't create a LFI vuln by attempting to open /etc/passwd with it. My first attempt to prevent LFI was unsuccessful and listed out the file, and I noticed this at the bottom:

backdoor:x:0:0::/root:/bin/bash

What does this mean, and is it malicious? If so how do I remove it.

share|improve this question
up vote 42 down vote

Well, from your question I assume you know what a line in /etc/passwd is, so your question strikes me as a bit of odd. Unless, of course, you're going through some kind of test and don't really know your ways around a unix system and try to pass easily by cheating with us.

However:

That's a line in /etc/passwd that defines a user called backdoor, which prefers the bash shell.

The bad news is (aside from the fact that someone utterly stupid or an author of some kind of admin test used the name backdoor for this user) that this account uses user ID 0 and Group ID 0, and home /root, and all three of those should be absolutely exclusive to root, the super user.

Your system has been compromised.

You'll need to remove the system from the network, do a postmortem analysis, and set it back up from scratch, hopefully closing the vulnerability you found in your postmortem analysis that allowed them do this in the first place. (Leaving the system up and trying to "clean it up" is a losing game because who know what other rootkits or backdoors they have planted).

share|improve this answer
8  
"so your question strikes me as a bit of odd" - Indeed. I imagine a competent attacker would use a less obviously evil name, such as toor (which is a thing on some of the BSDs and might pass unnoticed). – Kevin 13 hours ago
1  
@Kevin usually, you'd simply not add anything to /etc/passwd – you just add a password for one of the system accounts to /etc/shadow or whatever auth database there is, and flip the suid bit on one or two shells or script interpreters. Stay minimal, stay unnoticed. And if I ever did that, none of the users, scripts, executables, process names or log entries would contain "backdoor". – Marcus Müller 5 hours ago

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.