Linux – UNIX ctime : how to keep this precious information in backups (tar)

findlinuxtarunix

I have three questions related to the "ctime" information of a file.
They are in bold (if you don't have time you can jump directly to them).

A website on my dedicated server has been hacked. Lots of files have been edited.
I noticed that some hackers were clever enough to reset the mtime (some not).

atime and mtime can be changed with PHP functions.
ctime can also be changed by using the chmod function. But ctime is handled by the kernel, so it's only possible to set it to the current system date/time. It's impossible to set it back to the past.

I found some backdoors whose mtime had been reset to the ctime (date in the past, like 1 or 2 years ago), so that I can't find it using recursive search tool based on that information.

The key to be able do find quickly all infested files is of course the ctime information.
The problem is that I didn't think of it at first, so I first "chmoded" recursively all the files so that the website itself doesn't have write permissions anymore.
In doing this, I lost the precious ctime information.

I have lots of backups, in form of .tar.gz files. I want to know if there is a way to extract from the tar.gz file the ctime of the files of the moment they were added the the tar.

I read the whole GNU tar documentation, and found out that the "GNU" format of tar (which is the default used by my Linux server) stores the ctime of its archived files.
I tried following way to extract it:

tar -zxf Friday.tar.gz --to-command=./script

./script is a bash script and looks like this:

#!/bin/bash
echo $TAR_CTIME

The problem is that this gives the current date and time, maybe because tar gives out the informations of the file it would itself create if I hadn't used --to-command

If tar cannot handle this, is there backup tools which can keep original ctime information?

How to list every file whose mtime and ctime differ? I read the find manual but only found out the -newerXY, which (if I understand well), can only compare a ctime with a ctime, a mtime with a mtime, etc. Is there a way to compare a ctime and a mtime of the same file?

Best Answer

Have you considered using tar compare option to see which files are changed? This should give you a quick list of candidates.

Related Topic