Cron-script deleted, but the job is still running in the crontab file
Writable file
$ cat /etc/crontab
...
* * * * * root /home/user/run.sh
...
# 1)
$ locate run.sh # no results
$ find / -name run.sh 2>/dev/null # no results
# create run.sh in the /home/user directory
$ cd /home/user/run.sh
$ nano run.sh
...
$ cat run.sh
#!/bin/bash
... start reverse shell, etc.
# 2)
# user home directory - writable by the current user
$ ls -l /home/user/run.sh
-rw-r--r-- 1 user user xx xxx xx xxxx /home/user/run.sh
$ cd /home/user
$ nano /home/user/run.sh
... append in malicious script