Linux Backdoor Persistence

SSH

-- additional user
-- ssh keys for existing users
-- ~/.ssh/config , /etc/ssh/ssh_config: ProxyCommand
-- additional authorized_keys file, added in /etc/ssh/sshd_config

Persistence Mechanisms

-- cron job (system, users, /etc/crontab, /etc/cron.d/*)
-- service in systemd/systemv
-- profiles : /etc/profile
-- shell rc files: ./bashrc /etc/bash.bashrc
-- tools rc files: ./vimrc
-- PROMPT_COMMAND
-- trap DEBUG
-- aliases 
-- /etc/hosts.allow (or hosts.deny)
-- PAM
-- LD_PRELOAD
-- Binary of valid services 

.... 

Links

https://github.com/Aegrah/PANIX

https://www.rgrosec.com/