Take a look at the following find command using "atime" ( access )
The file name ken1 is being query by the find string to see if it was access within the last 30s. Access can be any thing such as; access via the vi, file, cat, head, tail or more, etc.... .
You can use a time modifier such as second, minutes or hours. ( s m h ). In the next following demo, we are using 1hour, 60minutes or 3600seconds ( all = 1 hour btw )
note: without a modifier atime/ctime/mtime uses 1day
Okay now, how about the - or + options? This "-" simply means within the last time period or with the "+ " greater than the specified time period .
Moving on, let's look at ctime. The ctime is the creation time. We can also use the a time quantifier to look for creation of files within a specific time or range.
NOTE: keep in mind a file creation time is just that, the time it was created. The access time can't be greater than the creation time.
And lastly, the mtime. Is the time of the file modification. Take these examples;
Okay in example 3 you will see that by the meer appending of data to an "existing" file does not change the "access" time. So by me echoing data into an exiting file doesn't change the access-time, but by echoing data into an existing file, will change the modification time.
The reason & need for understanding the unix time options, & with the command find is simple;" you need to know the difference with the inspecting and comparison of files for determining tampering". This is crictical when you suspect any of the following;
- file tampering or modifications
- inspection for any compromised file ( rootkits, trojans, etc....)
- when conducting forensics or incident handling
Every unix administrator or systems security engineer, should know the difference and understand these options for the analysis of file creation, access, or modifications.
Common clues that you system has been compromised;
- utmp/wtmp data is gone
- logs are cleared or deleted
- the passwd/shadow files are modified or new accounts added or even accounts deleted
- crontab entries are changed or delete
- the unix utility lsof shows unknown open file or unknown services
- new daemons are running
- process counts are higher than normal
- the box has been reboot or changed uptime
- the file permissions have been changed
- new files that are hidden
One last bit of info, it best practice to ensure your unix/linux servers are running a suitable time daemon. It 's also best practice to ensure you know the timezone that the host is in and to use this TZ information in your collection and reporting.
note: be advise, as an ethical hacker, I always modify the system time and kill the ntp services to throw off my scent. With out the correct time, it's harder to piecemeal a system breech timeline
The best way to determine your timezone is to use any of the following;
Finally, for alerting on file changes. It's best to use a tripwire and a rootkit hunter aka rkthunter.
Imho, I think every newly installed systems should have a md5 hash create for all binaries in /usr/bin; /usr/local/bin; etc..... These hash should be store offline or import into a database. In my experience, one the most common method a hacker deploys, is to replace known binaries with trojans and to modify rc.local or linux startup scripts under /etc/init.d
Freelance Network/Security Engineer
kfelix -----a----t---- socpuppets ---dot---com
=( # # )=