How I spot I've been backdoored.

From some days I was testing some free rats/obfuscators from github on my main host. I am not sure if I’ve been backdoored. Is there any way to check that. As I really setup my parrot for couple of days and don’t want to install it fresh again. Sometimes when I am out of my PC I can hear a noise from windmill.

Possible tools to find malwares responsible for backdoor access, use these tools from your Pentesting menu:

1. rkhunter
2. chkrootkit
3. Lynis
4. ClamAV (optional - install it)

These would list all available or active malwares on your system known to Parrot OS .

2 Likes

rkhunter and chkrootkit mostly use the fileExists method with hardcoded paths. The scope is to find known rootkits, which was really really old and outdated. ClamAV is the best option in here. However, it still detects known malware signatures.
The best way to check backdoor inside system is check processes, network activities, file date creations, … and so many methods. It depends on threat actors and the complexity of backdoor’s design.

1 Like

I used Lynis + Monitor Ports/Process for two days with Netsat/Nmap/ps. Checked
Listen/Estabilished/SYN_SENT connection. I think everything is alright. I figured out that noise from fan was only when I have opened browser, when it was closed there was no noise. :smiley: Will scan with clamaAV as sugessted because I wasn’t used it.

By mistake I also probably kill/disable some process and broke my firefox, it now does not want to load websites now. I sudo apt --purge autoremove firefox and install it again but it still does not load websites, could you guys tell me what can I do now, I don’t want to open new topic for that, thanks.

You’ve worked a great way! Have you tried sudo apt install firefox ?

Thanks bro. No I didn’t still Firefox at some stages does not load fully websites, it’s just load and nothing more. I purged it then reinstalled/turned off all plugins, still same problem. I use alternative browser from two days. I remember when my fan was noisy, I turned off or killed some process and it was quite, but it is stopped working after reboot, so am pretty sure I disabled some Firefox process but don’t remember which one … :thinking: EDIT: now even firefox settings does want to run, I click and nothing opens…

I’ve had hackers get into my backdoor more than once and it caused all sort of problems.

Try sudo dnstool address 1.1.1.1 or 8.8.8.8
Or check the settings in your browser, mostly about proxy.

1 Like

FYI mainline firefox has been removed from debian few months ago, and to install through repo, only the ESR version is available
Or else the latest version should be downloaded from snap.

1 Like

I reisnatlled firefox but still same problem, even if I click on bookmarks nothing happen, it’s strange as I like most firefox and use now chromium from couple days, cannot figure out what happened.

sudo apt purge firefox-esr
sudo apt autoremove firefox-esr
sudo apt purge firefox*
sudo apt install firefox-esr

Proxy settings are good, plugins off, still most website even does not open if I click in bookmark there is no any action after click.