Persistence

(user path)/.ssh/authorized_keys: Check to see if anything has been added. Attackers add keys to maintain access.

/etc/inittab: Attackers can add code here to have it execute when initd restarts.

ls /etc/init.d/ Check Processes under this directory to see any potential indications of persistence by unknown process

Look in the crontab and associated folders.

cat /etc/crontab for listing cronjobs OR crontab -l

/var/spool/cron/crontabs/<username> (user-wide crontab)

Bash Shell initialization

when starting a shell, it will first execute ~/.bashrc and ~/.bash_profile for each user. /etc/bash.bashrc and /etc/profile are the system-wide versions of ~/.bashrc and ~/.bash_profile (If another shell is used, checked in documents of that shell for similar configuration files).

Service start-up:

System V (configuration files are in /etc/init.d/* and /etc/rd[0–6].d/) , Upstart (configuration files are in /etc/init/) and Systemd (configuration files are in /lib/systemd/system/* and /etc/systemd/system/*). For more information regarding service start-up, please refer to How To Configure a Linux Service to Start Automatically After a Crash or Reboot — Part 2: Reference

RC (Run-control)

is a traditional way with init to start services/program_s_ when run level changes. Its configuration can be found at /etc/rc.local:

Services

chkconfig --list - List all services and their current states.

service --status-all - Show status of all services.

systemctl list-units --type=service - List running services (systemd).

Other common areas for persistence for malicious scripts

• /etc/inittab

• /etc/init.d

• /etc/rc.d

• /etc/init.conf

• /etc/init