Find all files in subdirectories modiffied in time frame

Discussion in 'Command Line' started by postcd, Jul 15, 2014.

  1. postcd

    postcd Member

    Joined:
    Apr 16, 2014
    Messages:
    130
    Likes Received:
    10
    Hello,

    someone bad php scripts was inserted in my websites various folders, i want to ask You for help what is the command which will find all files created/modiffied between July 13 and 14 or even between certain hours in this date timeframe. The infected directory and subdirectories is: /home/myusername/www/

     
  2. JasKinasis

    JasKinasis Active Member

    Joined:
    Jun 17, 2014
    Messages:
    193
    Likes Received:
    112
    There are probably several ways, but here's one way off the top of my head:
    1. Create two temporary, empty files with timestamps of the start and end dates you want to check for:
    Code:
    touch /tmp/startdate -t 201407130000
    touch /tmp/enddate -t 201407142359
    This creates two files in /tmp/ called startdate and enddate. The time-stamp on startdate is midnight (00:00 hrs) on 13th July 2014 and the timestamp of enddate is 23:59 hrs on 14th July 2014.

    2. Next use find to find all files created/modified between the two dates:
    Code:
    find /home/myusername/www/ -cnewer /tmp/startdate -and ! -cnewer /tmp/enddate
    That should list all files in www (and subfolders) that were modified between midnight on July 13th and 23:59 on July 14th.
     
  3. WharfRat

    WharfRat Member

    Joined:
    Jul 17, 2014
    Messages:
    44
    Likes Received:
    16
    Another way would be

    Code:
    find . -type f -newermt "2014-07-13 18:53:00" ! -newermt "2014-07-14 20:35:00"
    Adjust the date/time as necessary

    Good luck ;)
     
  4. JasKinasis

    JasKinasis Active Member

    Joined:
    Jun 17, 2014
    Messages:
    193
    Likes Received:
    112
    I didn't know about the -newermt option. That's much easier than my way.

    Just had a look at the man pages for find on my system and there is no mention of it in there! So at least I'm not going mad.

    That said, a search for newermt in the info page for find does show the option. Looks like an RTFM failure on my part! Never really needed to use the info page for find though. Kinda assumed that all of the relevant options would be listed in the man page, so perhaps the -newermt option should be listed in the man page. In which case, perhaps it is a documentation fail! Heh heh!
     
  5. WharfRat

    WharfRat Member

    Joined:
    Jul 17, 2014
    Messages:
    44
    Likes Received:
    16
    I think you'll find it with

    Code:
    man find|grep -A13 'newerXY reference'
    The 'mt' is interchangeable
     

Share This Page