has my 10.1-RELEASE system been compromised
Glyn Grinstead
glyn at grinstead.org
Thu Feb 26 20:12:45 UTC 2015
On Thu, 26 Feb 2015 at 12:02:52 -0600, Mark Felder wrote:
> On Wed, Feb 25, 2015, at 14:19, Walter Hop wrote:
> >
> > Example:
> > # touch -t 201501010000 foo
> > # find / -user www -newer foo
>
> Thanks for posting this trick -- I've never considered it before and
> will certainly put it in my toolbox!
While Walter is correct to give the universal form, if you know your system
supports the -newerXY option you can skip the temporary file and use:
# find / -user www -newermt 2015-01-01
Find is fun program to get to grips with to spot odd things going on.
There's a tendency to assume you need to know what your looking for in
the first place, but you can also tell it to show you things you don't
know about:
Files with an unknown user or group (tidying up after restoring partially
from a backup, or spotting hacks that weren't quite elegant enough):
# find / -nouser -o -nogroup
I know my $PATH will have executables in it, and some other directories are
almost certain to contain executables as well. But where are there
executables that aren't in the usual places (maybe hacks, maybe users riding
roughshod across the system installing things in strange places to trip
people up later when they don't get patched)?
# find -E / -type d -regex "`echo $PATH | sed -e \"s/:/\|/g\"`|/usr/libexec|/boot|/usr/src|/usr/local/etc/rc.d|/usr/local/lib|/usr/local/libexec|/usr/ports/.*/work|/usr/obj|/rescue|/etc/rc.d|/etc/periodic|/libexec" -prune -o -type f -perm +111 -print
And you can combine them, of course: modified since 1st Jan 2015, a regular
file and executable:
# find / -newermt 2015-01-01 -type f -perm +111
Glyn.
(Something of a fan of find :-)
More information about the freebsd-security
mailing list