A backdoor is a hidden method of accessing a system that bypasses normal authentication, planted by an attacker (or shipped in malicious software) so they can return at will. Backdoors range from a web shell on a server, an extra SSH key, or a rogue account, to deep rootkits and firmware implants. They are the mechanism behind most persistence: a quiet, reliable door back in that survives reboots and avoids the front-door login.
What a backdoor is
A backdoor is any concealed way into a system that sidesteps the normal login. Where the front door checks a password and MFA, a backdoor is a path the attacker controls that asks for none of that, or uses a secret only they know.
It is the practical form persistence usually takes: not just "keep access" in the abstract, but a specific hidden door, a web shell URL, an extra key, a rogue service, the attacker can knock on whenever they want.
The forms backdoors take
Backdoors exist at every layer:
- Application: a web shell dropped into a website’s files.
- Account: a rogue account or an extra SSH key.
- Service/scheduler: a malicious service, scheduled task, or cron job.
- Kernel/system: a rootkit that hides itself.
- Domain: a forged Golden Ticket that grants access without a password.
Why backdoors are dangerous
A backdoor combines stealth and durability. It avoids the authentication and logging the front door has, and it is designed to persist. Attackers also plant several, so removing the obvious one still leaves a way in.
That is why eradicating an intrusion means hunting every backdoor and autostart location, not just closing the hole the attacker first used.