On Fri, Feb 03, 2023 at 04:27:06PM +0100, Nicolas George wrote: > - crontabs or atjobs that download instructions from the web; > > - .procmailrc or “|something” in .forward; > > - probably one or two mechanisms I forgot about.
systemd --user units and timers. Any process currently running under that user's UID. Any files owned by that user's UID which have the setuid bit set (land mines). > When there is a suspicious access to a user account, we want to lock > this account until we made sure. So “:-:” in /etc/shadow and shell to > /bin/false, and “sudo -u user kill -9 -1”. I don't know whether that disables ssh logins that use key auth instead of password auth.
