Where are good places to check for backdoors...

trist007 · 10-11-2010, 10:47 AM

rc.scripts, cron jobs, what else?

Can hidden files be executed simply by going to a directory that has that hidden file inside it?

ShadowCat8 · 10-11-2010, 11:29 AM

Greetings,

No, just going into the directory that has a hidden (READ: dot ['.']) file does not execute that hidden file.
Another place to check for hidden processes would be the PID folders under /proc and comparing them to the output of 'ps ax ' run as root to see if you have something running that isn't showing in the process list.
Have you tried running 'rkhunter' or 'chkrootkit' on the system in question?

HTH. Let us know.

unSpawn · 10-11-2010, 11:42 AM

BTW, is there any specific reason that makes you ask all of this?

unixfool · 10-11-2010, 03:14 PM

The CERT Checklist may help.

In fact, there's the Security References thread that may have tidbits of information that could point you in the proper direction.

trist007 · 10-11-2010, 03:26 PM

Thanks guys. I'd like to get a better handle on security and I wanted to see where to check for any suspicious files.

fiku · 10-11-2010, 04:03 PM

Well, generally, a backdoor is a process that enables remote access. You might use the netstat command to list the listening ports (e.g. netstat -l).
Of course, there could be a rootkit too, that has forged the netstat command to hide the backdoor port entry, so one have to be sure, that netstat is really what You expect it to be.