Find all files in subdirectories modiffied in time frame

Discussion in 'Command Line' started by postcd, Jul 15, 2014.

  1. postcd

    postcd Member

    Messages:
    80
    Likes Received:
    6
    Trophy Points:
    8
    Hello,


    someone bad php scripts was inserted in my websites various folders, i want to ask You for help what is the command which will find all files created/modiffied between July 13 and 14 or even between certain hours in this date timeframe. The infected directory and subdirectories is: /home/myusername/www/
  2. JasKinasis

    JasKinasis Member

    Messages:
    74
    Likes Received:
    36
    Trophy Points:
    18
    There are probably several ways, but here's one way off the top of my head:
    1. Create two temporary, empty files with timestamps of the start and end dates you want to check for:
    Code:
    touch /tmp/startdate -t 201407130000
    touch /tmp/enddate -t 201407142359
    This creates two files in /tmp/ called startdate and enddate. The time-stamp on startdate is midnight (00:00 hrs) on 13th July 2014 and the timestamp of enddate is 23:59 hrs on 14th July 2014.

    2. Next use find to find all files created/modified between the two dates:
    Code:
    find /home/myusername/www/ -cnewer /tmp/startdate -and ! -cnewer /tmp/enddate
    That should list all files in www (and subfolders) that were modified between midnight on July 13th and 23:59 on July 14th.
  3. WharfRat

    WharfRat Member

    Messages:
    35
    Likes Received:
    11
    Trophy Points:
    8
    Another way would be

    Code:
    find . -type f -newermt "2014-07-13 18:53:00" ! -newermt "2014-07-14 20:35:00"
    Adjust the date/time as necessary

    Good luck ;)
  4. JasKinasis

    JasKinasis Member

    Messages:
    74
    Likes Received:
    36
    Trophy Points:
    18
    I didn't know about the -newermt option. That's much easier than my way.

    Just had a look at the man pages for find on my system and there is no mention of it in there! So at least I'm not going mad.

    That said, a search for newermt in the info page for find does show the option. Looks like an RTFM failure on my part! Never really needed to use the info page for find though. Kinda assumed that all of the relevant options would be listed in the man page, so perhaps the -newermt option should be listed in the man page. In which case, perhaps it is a documentation fail! Heh heh!
  5. WharfRat

    WharfRat Member

    Messages:
    35
    Likes Received:
    11
    Trophy Points:
    8
    I think you'll find it with

    Code:
    man find|grep -A13 'newerXY reference'
    The 'mt' is interchangeable

Share This Page