Sometimes, a site is hacked and the intruder hides the new or modified files, changing the file's date (mtime). Usually, they set it to a not recent date.
Using something like
find . -type f -ctime -3 -exec ls -ls {} \;
I can find files that have been changed or added in the last 3 days, also if the mtime was changed using touch
or other tricks.
The problem is that often this produces a long list of files that have been changed by normal activities.
My idea is: If I can find files that have "strange" ctime - mtime, the monitoring is simpler. In my idea, if I can find files that have mtime > ctime or that have very different mtime and ctime, this simplifies greatly.
Is there some way to do this with find
?
list all files in the current dir where modify date (stat -c %Y) is different to change date (stat -c %Z )
stat -c %n#%Y#%Z * | awk -F# '{if ($2 != $3) print $1}'
and for those who don't want to understand before executing
find . -type f -exec stat -c %n#%Y#%Z {} \; | awk -F# '{if ($2 != $3) print $1}'