Linux BPFDoor Detection (Direct Check)

critical Nessus Plugin ID 161761


Nessus detected a BPFDoor instance listening on the remote host.


The remote system responds to requests typically seen by BPFDoor, a backdoor payload for Linux that is often deployed by malware to gain re-entry to a device. This plugin will open a callback on the scanner and listen for the BPFDoor response. As such, it will not work with cloud based scanners.

This plugin will attempt to send the BPFDoor payload to any open port on the scan target. If no ports are known to be open, it will attempt to send a packet to UDP 68, if the preference 'Consider unscanned ports as closed' is set to 'no.' The plugin will also validate that a response to the callback looks correct. If you wish to catch even unknown responses, you may set 'Show potential false alarms.'

See Also

Plugin Details

Severity: Critical

ID: 161761

File Name: bpfdoor_remote_detect.nbin

Version: 1.19

Type: remote

Family: Backdoors

Published: 6/1/2022

Updated: 2/21/2024

Supported Sensors: Nessus

Risk Information

CVSS Score Rationale: The system is suspected as being infected by malware.


Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: manual


Risk Factor: Critical

Base Score: 10

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H