Date: Thu, 26 Feb 2015 14:43:23 -0600 From: Mark Felder <feld@FreeBSD.org> To: Glyn Grinstead <glyn@grinstead.org> Cc: freebsd-security@freebsd.org Subject: Re: has my 10.1-RELEASE system been compromised Message-ID: <1424983403.4117041.232953973.212CCED4@webmail.messagingengine.com> In-Reply-To: <20150226201234.GA1920@dhole.grinstead.net> References: <864mq9zsmm.fsf@gly.ftfl.ca> <32202C62-3CED-49B6-8259-0B18C52159D1@spam.lifeforms.nl> <1424973772.4085078.232885457.0277C7ED@webmail.messagingengine.com> <20150226201234.GA1920@dhole.grinstead.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Feb 26, 2015, at 14:12, Glyn Grinstead wrote: > On Thu, 26 Feb 2015 at 12:02:52 -0600, Mark Felder wrote: > > On Wed, Feb 25, 2015, at 14:19, Walter Hop wrote: > > > > > > Example: > > > # touch -t 201501010000 foo > > > # find / -user www -newer foo > > > > Thanks for posting this trick -- I've never considered it before and > > will certainly put it in my toolbox! > > While Walter is correct to give the universal form, if you know your > system > supports the -newerXY option you can skip the temporary file and use: > > # find / -user www -newermt 2015-01-01 > > Find is fun program to get to grips with to spot odd things going on. > There's a tendency to assume you need to know what your looking for in > the first place, but you can also tell it to show you things you don't > know about: > > Files with an unknown user or group (tidying up after restoring partially > from a backup, or spotting hacks that weren't quite elegant enough): > > # find / -nouser -o -nogroup > > I know my $PATH will have executables in it, and some other directories > are > almost certain to contain executables as well. But where are there > executables that aren't in the usual places (maybe hacks, maybe users > riding > roughshod across the system installing things in strange places to trip > people up later when they don't get patched)? > > # find -E / -type d -regex "`echo $PATH | sed -e > \"s/:/\|/g\"`|/usr/libexec|/boot|/usr/src|/usr/local/etc/rc.d|/usr/local/lib|/usr/local/libexec|/usr/ports/.*/work|/usr/obj|/rescue|/etc/rc.d|/etc/periodic|/libexec" > -prune -o -type f -perm +111 -print > > And you can combine them, of course: modified since 1st Jan 2015, a > regular > file and executable: > > # find / -newermt 2015-01-01 -type f -perm +111 > > Glyn. > (Something of a fan of find :-) Please partner with MW Lucas and write a "find mastery" to document all of these clever uses of find. (I'd read it.)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1424983403.4117041.232953973.212CCED4>