How to see PHP files that are recently uploaded/modified on some domain

Post Reply
User avatar
isscbta
Team Member
Posts: 130
Joined: Mon Jul 19, 2021 1:41 am
Has thanked: 15 times
Been thanked: 3 times

This could be pretty useful when some site got infected, so by running this command, you can find all PHP files which are recently uploaded or modified and based on that see which one could be potentially infected/malicious

Code: Select all

cd /home/someuser/web/domain.com/public_html/
find -name "*.php" -type f -printf '%T+\t%s\t%u\t\t%p\n' | sort -n
Sometimes attackers modify the 'Change' attribute to trick you (the attacker can modify it to an old date, so the file would not appear freshly changed).
In that case, you can sort files by the 'last modification' attribute that can not be faked.

Code: Select all

find -name "*.php" -type f -printf '%C+\t%s\t%u\t\t%p\n' | sort -n


If you suspect that .js files are modified, then run:

Code: Select all

find -name "*.js" -type f -printf '%T+\t%s\t%u\t\t%p\n' | sort -n
and

Code: Select all

find -name "*.js" -type f -printf '%C+\t%s\t%u\t\t%p\n' | sort -n

Tags:
Post Reply