Linux Persistence and Suspicious Startup Review Checklist

halfbrain_logo512adminJune 16, 2026
0 lượt xem

Linux Persistence and Suspicious Startup Review Checklist

After a server compromise, attackers may try to keep access by adding users, SSH keys, cron jobs, systemd services or startup scripts. A defensive review helps find unknown persistence points without guessing.

Core principle

Persistence means something survives logout, restart or reboot. Review every place where Linux can automatically start users, commands or services.

Checklist

  1. List human users.
  2. Review sudo users.
  3. Review SSH authorized keys.
  4. Review user crontabs.
  5. Review system cron directories.
  6. Review systemd services.
  7. Review enabled services.
  8. Review startup scripts and unusual service names.
  9. Review recently modified files in system paths.
  10. Document and remove unknown persistence only after verification.

Reusable lesson

This applies to VPS security incidents, unknown admin activity, malware cleanup, suspicious CPU usage and post-incident hardening.

Checklist Type Security
Level Advanced
Risk Level Critical Risk
Estimated Time 60–150 minutes

When to Use This Checklist

Use this checklist after suspected VPS compromise, unknown users, suspicious services, unexpected cron jobs or repeated reinfection.

Required Tools

SSH access, sudo access, user list, cron files, systemd services, auth logs, backup

Before You Start

Do not delete system services blindly. Verify ownership, purpose and modification time before removing anything.

Structured Checklist Steps

  1. List users.
  2. Review sudo group.
  3. Review SSH keys.
  4. Review user crontabs.
  5. Review system cron.
  6. Review systemd units.
  7. Review enabled services.
  8. Review startup paths.
  9. Review recent system file changes.
  10. Document and remove confirmed unknown items.

Verification Steps

  1. No unknown sudo user remains.
  2. SSH keys are accounted for.
  3. Cron jobs are documented.
  4. Enabled services are known.
  5. Suspicious startup items are removed or isolated.
See also  Safe Production Change Checklist for VPS Websites

Rollback Plan

If removing a startup item breaks a legitimate service, restore the saved file or service unit and document why it is required.

Common Mistakes

  • Ignoring authorized_keys.
  • Forgetting cron jobs.
  • Removing services without verification.
  • No record of what was changed.
  • Assuming malware cleanup is complete without checking startup persistence.

Related Commands

cat /etc/passwd
getent group sudo
find /home -name authorized_keys -type f -print
crontab -l
sudo ls -la /etc/cron.d/
systemctl list-unit-files --state=enabled
find /etc/systemd/system -type f -mtime -14

Share:

Disclaimer: The guides, checklists, commands, and examples on HalfBrain.net are provided for educational and operational reference only. Server environments, hosting providers, software versions, security settings, and WordPress configurations can vary, so you should always review commands before running them on your own system. We do our best to keep the content accurate and useful, but we cannot guarantee that every command, configuration, or recommendation will fit every environment. Always back up your website, database, and server configuration before making changes. HalfBrain.net is not responsible for data loss, downtime, security incidents, misconfiguration, or other issues that may result from applying the information on this website. Use the material at your own discretion.

halfbrain_logo512
admin

HalfBrain.net is a practical field notebook for people who want to self-operate websites, VPS servers, Linux systems, Docker stacks, Nginx configurations, DNS records, SSL certificates, and AI automation workflows. Our goal is simple: turn messy infrastructure problems into clear, repeatable checklists, commands, and operating procedures. We focus on practical execution, not theory for theory’s sake.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related articles: