Linux nologin Shell Rename Backdoor Attack Detection and Forensics

Ever wondered what would happen if you replaced the Linux /sbin/nologin with a valid shell? Attackers have and it gives them a persistent backdoor on supposedly disabled accounts. In this video we go over this attack and how to find it on your systems with command line tools and agentless Sandfly.

Find out if your systems have been backdoored, plus thousands of other attack traces instantly. Sandfly's agentless EDR for Linux deploys rapidly without any endpoint agents. Get a free license today to try it out.