TL;DR
A backdoor is a hidden way to access a system that bypasses normal security controls. Attackers install backdoors after initial compromise to maintain persistent access even if you patch the original vulnerability. Backdoors can also come through compromised dependencies or insider threats. Detect them through monitoring, file integrity checks, and security audits.
The Simple Explanation
An attacker breaks in once, then installs a secret entrance so they can come back anytime. Even if you patch the vulnerability they used, the backdoor lets them back in. They might add a hidden user account, modify code to accept a secret password, or install a program that listens for their commands.
Types of Backdoors
| Type | Method | Example |
|---|---|---|
| Account-based | Hidden user accounts | Admin account with common name |
| Code-based | Modified application code | Secret password in login |
| Network-based | Listening service | Reverse shell on startup |
| Supply chain | Compromised dependencies | Malicious npm package |
| Hardware | Modified firmware | Compromised network device |
How Backdoors Are Installed
- Initial compromise (exploit, phishing, etc.)
- Attacker gains access
- Installs one or more backdoors
- Original vulnerability patched
- Attacker still has access via backdoor
- Can return anytime undetected
This is why incident response includes rebuilding systems, not just patching.
Detection Methods
- File integrity monitoring: Detect unexpected changes
- Network monitoring: Unusual connections or traffic
- Account auditing: Unknown or dormant accounts
- Process monitoring: Suspicious running programs
- Code review: Check for unauthorized changes
- Penetration testing: Find hidden access points
Assume there are multiple. Attackers often install several backdoors in case one is found. If you discover one, look for others. Consider rebuilding from clean sources rather than trying to clean the system.
Prevention Strategies
- Defense in depth: Make initial compromise harder
- Least privilege: Limit what attackers can do
- Change monitoring: Alert on file/config changes
- Code signing: Verify software integrity
- Dependency scanning: Check for compromised packages
- Regular audits: Look for anomalies
Incident Response
- Isolate the compromised system
- Preserve evidence for forensics
- Identify all backdoors (assume multiple)
- Rebuild from known-good sources
- Change all credentials
- Fix the initial vulnerability
- Monitor for reinfection
How do backdoors get installed?
Attackers install backdoors after initial compromise to maintain access even if the original vulnerability is patched. Backdoors can also come through supply chain attacks (compromised dependencies), insider threats, or be built into software intentionally by malicious developers.
How do I detect backdoors?
Monitor for unusual network connections, unexpected user accounts, modified system files, and suspicious scheduled tasks or startup scripts. Use file integrity monitoring to detect changes. Review code changes carefully. Perform regular security audits and penetration testing.
What should I do if I find a backdoor?
Isolate the affected system immediately. Preserve evidence for forensic analysis. Determine the scope of the compromise. Rebuild the system from known-good sources rather than just removing the backdoor (there may be others). Review how it was installed to prevent recurrence.