Sometimes, a site is hacked and the intruder hides the new or modified files, changing the file's date (mtime). Usually, they set it to a not recent date.
Using something like
find . -type f -ctime -3 -exec ls -ls {} \;
I can find files that have been changed or added in the last 3 days, also if the mtime was changed using touch or other tricks.
The problem is that often this produces a long list of files that have been changed by normal activities.
My idea is: If I can find files that have "strange" ctime - mtime, the monitoring is simpler. In my idea, if I can find files that have mtime > ctime or that have very different mtime and ctime, this simplifies greatly.
Is there some way to do this with find?
list all files in the current dir where modify date (stat -c %Y) is different to change date (stat -c %Z )
stat -c %n#%Y#%Z * | awk -F# '{if ($2 != $3) print $1}'and for those who don't want to understand before executing
find . -type f -exec stat -c %n#%Y#%Z {} \; | awk -F# '{if ($2 != $3) print $1}'