How to find files created on a date range in linux?

Hi,

I try to find a way to find files by creation time. Not accesses or modified but created.
Basically I like to find files that were uploaded or created in the last 7 days. It seems someone uploaded a hostile program that auto sends messages. I need to find it. I found some commands but nothing that only shows files created in a specific date range or lest say in the last 7 days.

I would appreciate if anyo0ne has a solution for me that allows me to find files on creation time.

Best wishes,
Thomas
ThomasPartnerAsked:
Who is Participating?
 
MazdajaiCommented:
Interesting. Give this a shot.
touch -t `date -d '7 day ago' +%Y%m%d%H%M` /tmp/7dayago
find / -type f -newer /tmp/7dayago

Open in new window

0
 
MazdajaiCommented:
Try?
find /path -type f -ctime +7 

Open in new window

0
 
ThomasPartnerAuthor Commented:
Hi,
Thanks but does not work, it shows me thousands of files even the ones on some locations that were not modified or accessed.

Any other ideas?

Best wishes,
Thom
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
arnoldCommented:
You need to use -ctime n -ctime m to specify a range.


The example deals with files created more than 7 days ago. (Mazdajai may, as I had to reread what you were asking)


You need to specify where you want to look.  

find /path/to/where/you/want/to/search -ctime -7

-ctime -7 -ctime -4 will list files created between 4 and 7 days ago.

Note that a malicious program may have altered the tine stamp on the file so that it might not be found.

LOOK AT /var/log/maillog to see if the mailing is going through your system

You could modify /etc/php.ini  to configure sendmail for pgp to pass through a wrapper that could help detect/prevent this issue.

Configuring a proxy/firewall settings could be an approach to quickly lock the system down until you can determine ...

I.e is the local mailserver is not being used, you can configure it to route emails to another mail server by a special port, you can then configure iptables to deny outgoing SMTP port 25 traffic and possibly depending on the load on the system, other options exist.
0
 
MazdajaiCommented:
Arnold has some good suggestions.

More digging through -  I don't think ctime can be used reliably measure creation time as it means recent time that inode was changed?
0
 
ThomasPartnerAuthor Commented:
Hi Mazdajai,

This works fine, thank you very much.
I did find my hostile file and it saved me a lot of time.
Thank you very much, I do appreciate the help on this.

Best wishes,
Thom
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.