Find all files recursively by a certain date

datefind

My site is compromised by an FTP brute attack and the cracker modified / created some files in my home directory.

Let's say the date of the malicious creation / modification is 2011-4-5 21:38:09. How can I find other files in public_html that is modified / created around that time?

Tried to search via Google but nothing helpful found. Can you please give me some examples? Like ls or find? Thanks!

Best Answer

You can: 

touch -m -t 201104052138.08 /tmp/timestamp

find /dir -newer /tmp/timestamp

The initial touch creates a file with an mtime of one second before your required timestamp, and the find then uses that to find files modified (in terms of content) after that time.

You will also want to check permissions and group ownership. You can't use the above technique to do that, since touch can only change the atime and the mtime. So, you're better off determining what the correct permissions are, and just resetting them. For example, if typically your web files are owned by root with group www-pub, and have permissions 0755 for directories and 0644 for files, you can use 

find /dir \! -user root

to find files and directories not owned by root and 

find /dir \! -group www-pub

to find files and directories not owned by www-pub

the -perm flag to find can be used to find files based on permissions, too, but you're better off just setting things to what they should be.

find /dir -exec chown root:www-pub {} \;
find /dir -type f -exec chmod 0644 {} \;
find /dir -type d -exec chmod 0755 {} \;
Related Topic