Commands tagged find

This is a slightly modified version of http://www.commandlinefu.com/commands/view/4283/recursive-search-and-replace-old-with-new-string-inside-files (which did not work due to incorrect syntax) with the added option to sed inside only files named filename.ext

libpurple likes to hardlink files repeatedly. To ignore libpurple, use sed: | sed '/\.\/\.purple/d'

I have found that base64 encoded webshells and the like contain lots of data but hardly any newlines due to the formatting of their payloads. Checking the "width" will not catch everything, but then again, this is a fuzzy problem that relies on broad generalizations and heuristics that are never going to be perfect.

What I have done is set an arbitrary threshold (200 for example) and compare the values that are produced by this script, only displaying those above the threshold. One webshell I tested this on scored 5000+ so I know it works for at least one piece of malware.

Searched strings:

passthru, shell_exec, system, phpinfo, base64_decode, chmod, mkdir, fopen, fclose, readfile

Since some of the strings may occur in normal text or legitimately you will need to adjust the command or the entire regex to suit your needs.

Example of using zsh glob qualifier ...

"." = files

"f:" = files with access rights matching:

o+w = other plus write

xargs is a more elegant approach to executing a command on find results then -exec as -exec is meant as a filtering flag.

Finds files modified today since 00:00, removes ugly dotslash characters in front of every filename, and sorts them.

*EDITED* with the advices coming from flatcap (thanks!)

This command is more robust because it handles spaces, newlines and control characters in filenames. It uses printf, not ls, to determine file size.

Find top 5 big files

Get the longest match of file extension (Ex. For 'foo.tar.gz', you get '.tar.gz' instead of '.gz')

If you have GNU findutils, you can get only the file name with

instead of

This alias is super-handy for me because it quickly shows the details of each file in the current directory. The output is nice because it is sortable, allowing you to expand this basic example to do something amazing like showing you a list of the newest files, the largest files, files with bad perms, etc..

A recursive alias would be:

From: http://www.askapache.com/linux/bash_profile-functions-advanced-shell.html

Executing pfiles will return a list of all descriptors utilized by the process

We are interested in the S_IFREG entries since they are pointing usually to files

In the line, there is the inode number of the file which we use in order to find the filename.

The only bad thing is that in order not to search from / you have to suspect where could possibly be the file.

Improvements more than welcome.

lsof was not available in my case

This is a modified version of the OP, wrapped into a bash function.

This version handles newlines and other whitespace correctly, the original has problems with the thankfully rare case of newlines in the file names.

It also allows checking an arbitrary number of directories against each other, which is nice when the directories that you think might have duplicates don't have a convenient common ancestor directory.

This command is adapted from http://otomaton.wordpress.com/2012/12/26/find-broken-symbolic-links/

Solutions with

don't work when the link is a loop, an error message is printed.

Search and replace recursively. :-) Shorter and simpler than the others. And allows more terms:

replace old new [old new ...] -- `find -type f`

Old Sys5 system and SUN computers don't have the -H option. Adding /dev/null forces grep to use the multi-file output and report the file name.