Login Start for free
Login Start for free
Blog / Others/ Linux find Command: Practical Guide for Finding Suspicious Files and Malware

Linux find Command: Practical Guide for Finding Suspicious Files and Malware

2014-10-28 · Ryan · Post Comment

Practical Guide to Using the Linux find Command for Security Audits

The find command is an essential tool for Linux system administration and security investigations. When you suspect the presence of suspicious files (such as malware or backdoors), you can use find with criteria like modification time, file type, and name for precise searches. Below are several practical scenarios and commands.

1. Find Files Modified Within the Last 30 Days

Search the current directory and its subdirectories for all regular files modified in the last 30 days, listing them with detailed information. This helps identify recently altered or implanted files.

find ./ -mtime -30 -type f -exec ls -l {} ;
  • -mtime -30: Modification time is less than 30 days ago.
  • -type f: Restrict search to regular files.
  • -exec ls -l {} ;: Execute ls -l on each found file to show details.

2. Find and List All .txt Files

Locate all files with the .txt extension in the current directory and subdirectories.

find ./ -name "*.txt" -print

In modern systems, -print is the default action and can often be omitted.

3. Find and Delete All .txt Files

Warning: This command will delete files immediately. Use with extreme caution! Always preview the list of files to be deleted first by running the command without -exec.

find ./ -name "*.txt" -exec rm -rf {} ;
  • -exec rm -rf {} ;: Execute rm -rf on each found file for forced deletion.

4. Find .php Files Modified Within the Last 30 Days

A common security investigation scenario to locate PHP files that may have been injected with malicious code recently.

find ./ -name "*.php" -mtime -30 -type f -exec ls -l {} ;

Note: The original command incorrectly used -typef; it has been corrected to -type f (with a space).

5. Find .php Files Modified Within a Specific Time Window

Search for PHP files modified more than 1 day ago but within the last 30 days (i.e., between 1 and 30 days ago). This helps narrow the focus to a specific historical period.

find ./ -name "*.php" -mtime -30 -mtime +1 -type f -exec ls -l {} ;
  • -mtime +1: Modification time is more than 1 day ago.
  • The combined condition -mtime -30 -mtime +1 means "modified between 1 and 30 days ago."

Note: The original command incorrectly used -execls; it has been corrected to -exec ls (with a space).

Advanced Security Investigation Tips

  • Search by File Permissions: Use the -perm parameter to find files with suspicious permissions (e.g., 777): find ./ -type f -perm 777.
  • Find Hidden Files: Use find ./ -name ".*" to locate all hidden files.
  • Preview Before Acting: Always preview results with -exec ls -l or -print before performing any deletion or modification.
  • Combine with Other Tools: Analyze suspicious files further using antivirus software, the strings command, or online virus scanning services.

Mastering the find command significantly enhances efficiency in system security audits and troubleshooting.

Post a Comment

Your email will not be published. Required fields are marked with *.