Server security is a critical task for any system administrator. One of the simplest yet powerful tools available on Linux systems is the find command. It allows you to search for files based on different criteria such as modification time, permissions, ownership, and more.

Why Use find for Security Checks?

When a server is compromised, attackers often modify existing files or upload new malicious ones. By using find, you can:

• Detect recently modified files
• Find files with suspicious permissions
• Locate unexpected files in critical directories
• Identify files owned by unusual users

Basic Syntax

find [path] [options] [expression]

Example:

find /var/www -type f

This command searches for all files in the /var/www directory.

Finding Recently Modified Files

To find files modified within the last 24 hours:

find /var/www -type f -mtime -1

This is useful for detecting unauthorized changes.

Examples:

• -mtime -1 → modified in last 24 hours
• -mtime -7 → modified in last 7 days
• -mmin -60 → modified in last 60 minutes

Finding Files with Suspicious Permissions

Files with overly permissive access can be a sign of compromise.

find /var/www -type f -perm 0777

This finds files readable, writable, and executable by everyone.

To find files writable by others:

find /var/www -type f -perm -002

Finding Recently Created or Changed Files

You can also search by change time (metadata changes):

find /var/www -type f -ctime -1

This helps detect changes in permissions or ownership.

Finding Files Owned by a Specific User

Attackers may create files under unexpected users:

find /var/www -type f -user www-data

Or find files NOT owned by the expected user:

find /var/www -type f ! -user www-data

Searching for Suspicious File Names

Malicious files often have unusual names:

find /var/www -type f -name "*.php"

To find files with potentially dangerous patterns:

find /var/www -type f -iname "*shell*"
find /var/www -type f -iname "*.php" -mtime -1

Combining Conditions

You can combine multiple checks:

find /var/www -type f -mtime -1 -perm -002

This finds files modified in the last day and writable by others.

Executing Commands on Results

You can run commands on найденных files:

find /var/www -type f -mtime -1 -exec ls -lh {} \;

Or calculate hashes:

find /var/www -type f -exec sha256sum {} \;

Best Practices

• Run regular scans and compare results over time
• Focus on critical directories like /var/www, /etc, /home
• Use logging and monitoring tools alongside find
• Combine with tools like grep, diff, and auditd

Conclusion

The find command is a powerful and flexible tool for detecting suspicious activity on a Linux server. By regularly scanning for recently modified files, unusual permissions, and unexpected ownership, you can quickly identify potential security issues and respond before they escalate.

Cost: €