has my 10.1-RELEASE system been compromised

[Mark Felder]

On Thu, Feb 26, 2015, at 14:12, Glyn Grinstead wrote:
> On Thu, 26 Feb 2015 at 12:02:52 -0600, Mark Felder wrote:
> > On Wed, Feb 25, 2015, at 14:19, Walter Hop wrote:
> > > 
> > > Example:
> > > # touch -t 201501010000 foo
> > > # find / -user www -newer foo
> > 
> > Thanks for posting this trick -- I've never considered it before and
> > will certainly put it in my toolbox!
> 
> While Walter is correct to give the universal form, if you know your
> system
> supports the -newerXY option you can skip the temporary file and use:
> 
> # find / -user www -newermt 2015-01-01
> 
> Find is fun program to get to grips with to spot odd things going on.
> There's a tendency to assume you need to know what your looking for in
> the first place, but you can also tell it to show you things you don't
> know about:
> 
> Files with an unknown user or group (tidying up after restoring partially
> from a backup, or spotting hacks that weren't quite elegant enough):
> 
> # find / -nouser -o -nogroup
> 
> I know my $PATH will have executables in it, and some other directories
> are
> almost certain to contain executables as well. But where are there
> executables that aren't in the usual places (maybe hacks, maybe users
> riding
> roughshod across the system installing things in strange places to trip
> people up later when they don't get patched)?
> 
> # find -E / -type d -regex "`echo $PATH | sed -e
> \"s/:/\|/g\"`|/usr/libexec|/boot|/usr/src|/usr/local/etc/rc.d|/usr/local/lib|/usr/local/libexec|/usr/ports/.*/work|/usr/obj|/rescue|/etc/rc.d|/etc/periodic|/libexec"
> -prune -o -type f -perm +111 -print
> 
> And you can combine them, of course: modified since 1st Jan 2015, a
> regular
> file and executable:
> 
> # find / -newermt 2015-01-01 -type f -perm +111
> 
> Glyn.
> (Something of a fan of find :-)

Please partner with MW Lucas and write a "find mastery" to document all
of these clever uses of find. 

(I'd read it.)