Date: Thu, 26 Feb 2015 20:12:34 +0000 From: Glyn Grinstead <glyn@grinstead.org> To: Mark Felder <feld@FreeBSD.org> Cc: freebsd-security@freebsd.org Subject: Re: has my 10.1-RELEASE system been compromised Message-ID: <20150226201234.GA1920@dhole.grinstead.net> In-Reply-To: <1424973772.4085078.232885457.0277C7ED@webmail.messagingengine.com> References: <864mq9zsmm.fsf@gly.ftfl.ca> <32202C62-3CED-49B6-8259-0B18C52159D1@spam.lifeforms.nl> <1424973772.4085078.232885457.0277C7ED@webmail.messagingengine.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 26 Feb 2015 at 12:02:52 -0600, Mark Felder wrote: > On Wed, Feb 25, 2015, at 14:19, Walter Hop wrote: > > > > Example: > > # touch -t 201501010000 foo > > # find / -user www -newer foo > > Thanks for posting this trick -- I've never considered it before and > will certainly put it in my toolbox! While Walter is correct to give the universal form, if you know your system supports the -newerXY option you can skip the temporary file and use: # find / -user www -newermt 2015-01-01 Find is fun program to get to grips with to spot odd things going on. There's a tendency to assume you need to know what your looking for in the first place, but you can also tell it to show you things you don't know about: Files with an unknown user or group (tidying up after restoring partially from a backup, or spotting hacks that weren't quite elegant enough): # find / -nouser -o -nogroup I know my $PATH will have executables in it, and some other directories are almost certain to contain executables as well. But where are there executables that aren't in the usual places (maybe hacks, maybe users riding roughshod across the system installing things in strange places to trip people up later when they don't get patched)? # find -E / -type d -regex "`echo $PATH | sed -e \"s/:/\|/g\"`|/usr/libexec|/boot|/usr/src|/usr/local/etc/rc.d|/usr/local/lib|/usr/local/libexec|/usr/ports/.*/work|/usr/obj|/rescue|/etc/rc.d|/etc/periodic|/libexec" -prune -o -type f -perm +111 -print And you can combine them, of course: modified since 1st Jan 2015, a regular file and executable: # find / -newermt 2015-01-01 -type f -perm +111 Glyn. (Something of a fan of find :-)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150226201234.GA1920>