The IT Person Who Left 18 Months Ago Is Still Costing You Money
We took over a client's Linux fleet, ran a GravityZone trial, and found a backdoor on a file server left by the last IT person. The Samba shares were worse.
In February we took over IT support for a Johannesburg professional services firm. The previous IT person had left 18 months earlier with no handover documentation, no password manager entry that didn’t require three phone calls to reconstruct, and one conviction baked so firmly into the organisation’s culture that it had survived his departure intact: Linux servers do not need antivirus.
He’d said it once, apparently with some authority, and it had stuck. The finance manager knew it. The ops manager knew it. When we sat down for the initial scoping call, the MD told us, unprompted, that they ran three Linux file servers and weren’t worried about them because “Brian said Linux is basically immune.”
Brian had been gone for eighteen months.
We have heard worse inherited IT beliefs. But this one had teeth.
The trial we ran expecting nothing
Part of our standard onboarding is a GravityZone trial across the full fleet: Windows machines, Macs, and the Linux servers. We do not carve out exceptions for Linux based on what Brian said, or what anyone said. We’ve also seen plenty of Linux boxes that were set up by someone who watched a YouTube video, and the result is not great.
The Linux agent installs cleanly on Ubuntu and Debian without drama. We run the initial scan, make tea, and generally expect to find some potentially unwanted programmes on Windows, a few outdated signature files, and a clean result on the Linux boxes.
This time we did not get the clean Linux result.
What we found on the file server
The scanner flagged a backdoor. Not a theoretical risk, not a marginal detection: a backdoor with a known signature, the kind that opens a channel to an external host and waits for instructions.
We don’t know exactly how long it had been there. The server’s logs had been rotated and the evidence window was narrow. The previous administrator had left it patched to a version that was current in mid-2024, so “shortly after Brian left” is a plausible estimate. Eighteen months is a reasonable upper bound.
The backdoor wasn’t visibly doing anything when we found it. That is not the reassurance it sounds like. BPFDoor, the Linux backdoor that sat undetected on telco and government networks for roughly five years before public disclosure in 2022, was not visibly doing anything most of the time either. Quiet is not the same as benign. Without EDR-level host telemetry, you don’t catch something like BPFDoor. Plain netstat doesn’t show it. A port scan doesn’t find it. You need an agent on the host.
The backdoor was, however, the second thing that got the MD’s attention. The first thing was the Windows machines.
The Samba problem
All three Linux file servers were running Samba shares. Every Windows workstation in the office mapped to them: documents, spreadsheets, client files. Standard setup, works fine.
Except that among the files on those shares, the GravityZone scanner found Windows malware. Not Linux malware. Executables and macro-laden Office files that the Linux servers had been storing and serving, entirely unaware that anything was wrong, because to Linux an .exe is just a file. Linux does not scan Windows binaries. Linux does not care about Windows binaries.
The Windows machine that opens one does care.
Four workstations showed infections that traced directly to files on the Samba shares. The malware wasn’t new. It had been sitting on the file server long enough for the Windows machines to have picked it up at different points, in at least two separate incidents. The endpoint security on the Windows side had caught some of it. Not all of it.
The Linux servers had been acting as a malware coatroom the entire time. Accepting deliveries, storing them neatly, handing them out on request, entirely unbothered.
Why this keeps happening
The “Linux doesn’t need AV” belief has a kernel of historical truth, which is exactly what makes it so persistent. Consumer malware in the early 2000s was overwhelmingly Windows-targeted. Linux boxes were mostly administered by people who read logs and applied patches. The conclusion that Linux was basically immune wasn’t unreasonable at the time. People who formed that view in 2005 have been repeating it with steadily decreasing accuracy for twenty years.
Two things changed.
Linux now runs most of the internet. Web servers, mail relays, container hosts, Kubernetes nodes, ESXi hypervisors: that concentration made Linux worth targeting. The malware families that go after it are real and named. XorDDoS brute-forces SSH, installs a rootkit, and conscripts hosts into DDoS botnets. RansomEXX and its relatives encrypt RHEL hosts and ESXi machines, taking every virtual machine with them. The xz-utils backdoor (CVE-2024-3094) came within a whisker of shipping an RCE vector into half the world’s Linux distros. These are not lab specimens. They have documented victims.
The other thing: Linux’s complete indifference to Windows executables makes it an ideal staging post for cross-platform attacks. Any Linux box acting as storage or transit between Windows users, Samba shares, FTP servers, mail relays, web upload directories, can hold and distribute Windows malware indefinitely without triggering anything on the Linux side. The Linux server is fine. The next person in the queue is not.
Brian was right that Linux is harder to compromise directly than Windows. Brian was wrong that this makes endpoint security unnecessary.
What the GravityZone trial found, in summary
Three days from deployment to written report. First finding: four hours after the agent went live.
The scanner found the backdoor on the primary file server, which was isolated and removed. It found the Windows malware cached across the Samba shares, quarantined before further Windows machines could pick anything up. It found two additional items on a second server that turned out to be benign but warranted review. The EDR telemetry on the Linux hosts runs at the same depth as on Windows: process trees, command-line capture, network connections, persistence monitoring. It’s what gives you a fighting chance against BPFDoor-class threats.
The GravityZone Linux agent runs on the distributions you’re actually likely to be running: Ubuntu LTS (20.04, 22.04, 24.04), Debian 11 and 12, RHEL/Rocky/Alma 8 and 9, Oracle Linux, Amazon Linux 2 and 2023. Management sits in the same console as Windows and Mac, which matters at 2am when something is happening and you need the full picture in one place.
When we showed the MD the findings report, he was quiet for a moment. Then: “Brian was very confident about this.”
Yes. Brian was.
If you’ve inherited someone else’s Linux conviction
Most IT environments have a Brian. Someone who said something authoritative, left, and whose opinions are still treated as policy. Sometimes they were right. Sometimes they were right in 2018 and wrong in 2026, and nobody has checked.
If your Linux servers have never had endpoint security deployed, and you can’t say with certainty when they were last fully scanned, that is not a clean bill of health. It is an unknown. There is a difference.
We run GravityZone trials on Linux fleets as part of standard onboarding. If you want one before committing to anything, email support@osh.co.za. We deploy the agent, run the scan, and send a written report with prioritised findings. If it comes back clean, you’ll know rather than assume.
Brian assumed. You’ve seen how that went.
