Where attackers persist
cron, systemd, SSH keys, shell profiles.
Once an attacker has access, their next priority is keeping it — persistence, so a reboot, a patch, or a killed process does not evict them. Linux offers many places to hook automatic execution, and an attacker only needs one; a defender must know them all. The good news is that most persistence lives in a finite, well-known set of locations, so knowing the map lets you audit for and detect the vast majority of it. The classics are scheduled tasks, service definitions, login scripts, and authorized keys.
Scheduled tasks and services
The most common persistence is a scheduled job or a service that re-launches the attacker’s payload. Cron entries in /etc/crontab, /etc/cron.d/, and per-user crontabs; systemd service and timer units, especially in user or unusual directories — each will faithfully run the attacker’s code on schedule or at boot. Because legitimate cron jobs and services also live here, the detection is baseline-and-diff: a new unit or cron entry, particularly one pointing at /tmp, a hidden path, or an odd binary, is the signal.
# enumerate scheduled/service persistence — baseline these and alert on additions$ cat /etc/crontab; ls -la /etc/cron.d/ /etc/cron.*/$ for u in $(cut -f1 -d: /etc/passwd); do crontab -l -u "$u" 2>/dev/null; done$ systemctl list-timers --all$ systemctl list-unit-files --type=service | grep enabled # diff against known-good
Login hooks and keys
The other big family runs when someone (or something) logs in. A public key appended to ~/.ssh/authorized_keys is a silent, password-less backdoor. Commands added to shell startup files (.bashrc, .profile, /etc/profile.d/) run every time a shell opens. A new user account, or a fresh sudoers entry, is a straightforward "add my own way in." These are high-value to watch precisely because they are how the attacker guarantees return access — and because on a stable host, authorized_keys and shell profiles change rarely.
# the backdoor hunt — unexpected keys, new accounts, tampered startup files$ find /home /root -name authorized_keys -exec ls -la {} + 2>/dev/null # unknown keys?$ awk -F: '$3>=1000{print $1,$3}' /etc/passwd # accounts — any you did not create?$ ls -la /etc/profile.d/ ~/.bashrc ~/.profile # shell hooks — any new lines?