How to Find Hidden Cron Jobs and systemd Services on Linux

Learn how to uncover hidden scheduled tasks and services on your Linux computer, often used by malware for persistence.

7 min read · Beginner friendly

What are Cron Jobs and systemd Services?

On Linux, both cron jobs and systemd services are ways that your computer automates tasks. Think of them as alarm clocks that trigger specific actions at certain times or when your system starts up.

Checking for Suspicious Cron Jobs

We'll start by looking at cron jobs. These can be set up by individual users or by the system itself.

1. Check your personal cron jobs: Open a Terminal (usually by pressing Ctrl+Alt+T) and type crontab -l. This shows scheduled tasks for your user account. Look for anything you don't recognise. An empty output is often a good sign for a home user.
2. Check root cron jobs: These are system-wide jobs that run with special permissions. In the Terminal, type sudo crontab -l -u root. You may be asked for your password. Again, look for anything suspicious.
3. Examine system-wide cron directories: System-wide cron jobs are often stored in specific folders. Use the command ls -l /etc/cron.* to list the contents of these directories. Pay attention to any unusual file names or scripts you don't recall installing.

Investigating systemd Services and Timers

systemd is a more modern way that Linux handles services and scheduled tasks. We'll look at both persistent services and "timers" which are similar to cron jobs.

1. List all running systemd services: In the Terminal, type systemctl list-units --type=service --all. This will show a long list. Focus on services that have enabled status and look for services with strange names or descriptions.
2. Check for systemd timers: These are like scheduled tasks. Type systemctl list-timers --all. Again, look for anything you don't recognise that is active and potentially enabled.
3. Examine user-specific systemd units: Malware might hide in user-specific systemd directories. Type ls -l ~/.config/systemd/user/ to see if there are any suspicious user-defined services or timers.

What to do if you find something suspicious

If you uncover a cron job or systemd unit that looks out of place, here’s how to proceed.

1. Research it: Copy the name of the suspicious job or service and search for it online. Often, legitimate system components have clear documentation.
2. Disable cron jobs: To remove a suspicious user cron job, type crontab -e, delete the line, save, and exit. For system-wide cron jobs, you would typically delete the specific file from the relevant /etc/cron.* directory (e.g., sudo rm /etc/cron.daily/malware-script).
3. Disable systemd units: To temporarily stop a unit, use sudo systemctl stop suspicious.service. To prevent it from starting on boot, use sudo systemctl disable suspicious.service. To remove it entirely, you would typically delete the service file (e.g., sudo rm /etc/systemd/system/malware.service).