Member-only story
Why I Always Check /etc/sudoers.d on a Compromised Linux Server
Intro:
You’ve isolated the server. You’ve grabbed the logs. You’re scanning for malware. But if you skip checking the sudoers.d directory, you might miss the real backdoor. In this post, I’ll explain why attackers love /etc/sudoers.d, how they use it to persist silently, and what I do to catch and clean it up.
1. Why /etc/sudoers.d Is So Dangerous
Unlike the main /etc/sudoers file, which is usually locked down and audited, the sudoers.d directory is often overlooked. Any file placed there with relaxed rules can silently grant root privileges — without changing the main sudo configuration.
✅ What attackers do:
They drop a file like /etc/sudoers.d/xyz with a line like:
hackeruser ALL=(ALL) NOPASSWD:ALLThis gives their user full sudo access without a password — even after reboots.
2. How I Audit This Directory
Run:
sudo ls -l /etc/sudoers.d/Then inspect each file’s content:
sudo cat /etc/sudoers.d/<filename>Look for:
- Unknown usernames
