What is a Backdoor?
A backdoor provides a shortcut for authorized or unauthorized users to gain access to an unauthorized location of a website, software, or system. There are many different ways to categorize backdoors, but they are usually not in plain sight and are intentionally difficult to detect.
Legitimate vs. Illegitimate Backdoors
Sometimes called a Maintenance Hook, Administrative Backdoor, or a Proprietary Backdoor, these are backdoors created on purpose by developers during the development process of the software or hardware. The backdoor allows them a quick way to test features, remove bugs and write code without having to create an actual account and deal with logins.
Typically, these are removed once the product passes QA and moves into production, but some developers leave the backdoor in. They can use the same shortcut to test new features down the road, troubleshoot, or help users who are locked out of their devices restore access. Leaving any backdoor in a software application creates a major risk that skillful hackers could detect and take advantage of it. Backdoors should never be left in production code for any reason, no matter how “safe” it may be.
The process of a hacker placing a backdoor on a system, application, or software is called a backdoor attack. The backdoor gives hackers access to elevated user privileges that allow them to infect systems and networks.
Backdoors can be present in endpoint devices like computing hardware or firmware. For example, backdoors have been found in CPUs (Central Processing Units) and servers, in addition to operating systems, applications, websites, and softwares. When a website is hacked, a hacker places the backdoor to gain reentry to the site. This allows them to return without detection.
Illegitimate backdoors are classified as trojans. Like the trojan horse from the Greek story, The Odyssey, the program appears harmless but has devastating potential. It is often disguised as a part of a theme or plugin. It can be hidden or encrypted in a file with a discreet name like .users.php. Backdoors are designed to evade intrusion detection systems (IDS) and can silently exist for months or even years without being detected and even before they are actually used.
Backdoors in the News
The SolarWinds hack used a backdoor that remained undetected for 7 months and exposed Denmark’s Central Bank.
Tens of thousands of Microsoft Exchange Servers compromised globally due to backdoors.
The South Korean government was targeted by the Apple Seed backdoor.
Fake movie streaming service “Bravo Movies” was a malware Bazaloader that used a backdoor throughout 2021
Backdoor mechanisms that are active in Xiongmai firmware infect thousands of IoT products in security cameras, DVRs and NVRs and have resulted in hackers gaining complete control of devices.
Edward Snowden leaks the news that the NSA forced backdoors into thousands of Cisco electronics allowing them to remotely spy via camera or microphone on users.
Since 2008, Intel has also reportedly installed a “master controller” backdoor into its manufactured CPU chips as well.
Apple has also done an abrupt about-face on the use of backdoors in their operating system, ostensibly to combat child abuse.
A Russian spy infiltrated Yahoo through phishing and once in, installed a backdoor on Yahoo’s server that allowed him to make a backup copy of Yahoo’s entire customer database.
How do Backdoors Get There?
Worms are malware programs that install backdoors on devices like computers. The general purpose of the malware in this case is to replicate itself to as many neighboring targets as possible, such as other computers/servers on the same network. This kind of malware usually includes a way for the attacker to communicate with it and a pre-built set of tools that it can use autonomously to try and compromise the other systems..
Once a hacker has found a way in, they could install a rootkit on the machine. Root kits allow hackers to open a back-door with root-level access, the same as admin or a superuser.
Rootkits main intent is to be as hard to remove as possible, they can disguise themselves as a part of the core system or even infect a part of it. Usually the only effective removal of a rootkit is a complete system reinstallation.
Downloads of Free Apps or Plugins
When people download free plugins that promise premium features, or pirated copies, these are often patched to include backdoors. These can be anything from wordpress plugins, to roblox plugins, to file converters. It is critical to identify and remove any suspect plugins, because they could contain backdoor code.
Hackers can install backdoors by exploiting bugs and unsecured points of entry in outdated software versions.
An open port is a UDP or TCP port number that is set to accept packets. Open ports help network devices and operating systems communicate with each other. However, hackers scan open ports for vulnerabilities they can take advantage of like a misconfiguration, an open by default setting, and being unpatched or unused.
An open port allows direct communication to a system or service from which it may directly accept the commands/communication or may allow a vulnerability to be exploited.
When people don’t update default passwords or credentials it is simple for attackers to target those systems with backdoors. In 2016, a couple teenagers took down the internet on the east coast for hours by taking over IoT devices that still used their default passwords.
Hardware manufacturers intentionally place backdoors in devices to reset users that forget their passwords or override settings on stolen devices. They are also placed by developers to bypass authentication during the software creation process.
One good example of this is how many ISP’s provided routers have a default user/pw combination only known to the ISP or even a direct line of communication with that router. These “secrets” are eventually discovered and shared on the internet which can easily put such routers, their network and any connected device at risk.
What Attacks Do Backdoors Facilitate?
Once the backdoor is planted, hackers can take advantage of it to follow up with several different actions
- Redirects to spam pages
- Spam Ads
- Data theft or leakage
- DDoS attack
- Website defacement
6 Steps to Find & Remove Backdoors:
It’s critical to remove backdoors. Cleaning a site and changing the passwords is pointless if the backdoor is still there. The backdoor allows the hacker to come back in and reinfect the site with other kinds of malware without any obstacle. The problem is that backdoors can be incredibly hard to find manually.
Here are some steps you can take to get started.
- Log in to your server: using SSH or SFTP . This allows you to find modified files and remove them in bulk.
- Compare Your Files: using the SSH or SFTP command, check every file against the pre-infection files stored on your backup. Check the numerical signature of the checksum to make sure that it matches. This will identify the files that have been modified.
- Check Core File Integrity: Core files are usually never modified. For instructions on searching for modified files, read Sucuri’s Guide on What to do if Your Website is Hacked.
- Remove inactive plugins, themes and extensions – these could be places where the backdoor is hiding. Also remove any themes or plugins that you do not recognize
- Start from scratch – replace all known plugins, core files and extensions that you can with known solid or freshly downloaded versions and manually inspect every custom coded file, knowing that the backdoor could be hidden on any line.
- Check recently modified files. If you have a rough estimate of when the compromise occurred you can use the “mtime” command to find other files modified around the same date.
- Sucuri’s server side scanner is very useful at finding backdoors placed into your website environment. It logs changes to website files and can help you narrow down affected items.
- Still haven’t found it manually? Try a tool. The Github community offers free backdoor finder tools and webshell backdoor finder tools like webshell detector.
Prevent Future Backdoor Attacks:
With the difficulty in finding backdoors, there is no saying more apt than “an ounce of prevention is worth more than a pound of cure.” Here’s what you can do to make sure a backdoor never happens in the first place.
- Limit what is installed. If unauthorized apps, widgets and software can’t be downloaded, there is less chance of malware being accidentally downloaded with it.
- Use a custom SSH port to reduce brute force attempts
- Blocklist known bad code when checking your files. This list contains known php backdoors that can be used for cross-comparison if you come across an anomaly.
- Keep a back-up and make sure you keep a clean back-up that is backdoor-free off-site. This will allow you to quickly compare and identify any unusual files.
- Stay up to date on patches with all themes, extensions and plugins.
- Reset all passwords and use strong passwords, and consider a password manager.
- Add additional authentication like captcha and multi-factor authentication to your login page
Finding a backdoor is like playing a really hard Where’s Waldo challenge. It’s hard to do, and it would be easier if you didn’t have to.
If you’ve gone through our steps and still have more questions than answers, we can help. Read our blog post on our steps in finding backdoors for more support, or ask our team of security analysts to step in.