0

Sometimes, a site is hacked and the intruder hides the new or modified files, changing the file's date (mtime). Usually, they set it to a not recent date.

Using something like

find . -type f -ctime -3 -exec ls -ls {} \;

I can find files that have been changed or added in the last 3 days, also if the mtime was changed using touch or other tricks.

The problem is that often this produces a long list of files that have been changed by normal activities.

My idea is: If I can find files that have "strange" ctime - mtime, the monitoring is simpler. In my idea, if I can find files that have mtime > ctime or that have very different mtime and ctime, this simplifies greatly.

Is there some way to do this with find?

Benjamin W.
  • 46,058
  • 19
  • 106
  • 116
PaulVM
  • 1
  • Add more relevant tags. – lupchiazoem May 10 '18 at 15:56
  • You many just want to store the results of your find into a database, and then just use SQL to report out. That way you have a nice history too. – sniperd May 10 '18 at 16:00
  • This question feels like it might be a better match for https://serverfault.com/ – Jason Aller May 10 '18 at 18:18
  • This is basically "how do I use find?", i.e. application support. I don't see how it is a programming question. – melpomene May 10 '18 at 18:41
  • I am not interested to rewrite another aide or similar sw. I simpy need a fast solution for the explained porpouse. I read the find man pages and googled a bit but I haven't found a simple solution. – PaulVM May 14 '18 at 21:25

1 Answers1

0

list all files in the current dir where modify date (stat -c %Y) is different to change date (stat -c %Z )

stat -c %n#%Y#%Z * | awk -F# '{if ($2 != $3) print $1}'

and for those who don't want to understand before executing

find . -type f -exec stat -c %n#%Y#%Z {} \; | awk -F# '{if ($2 != $3) print $1}'

SEmore
  • 1
  • 1