How to use `list` to locate attributes changed to `s---ia-------`?

Question

My linux CentOS server has been compromised lately (rootkit). Some files attributes have been changed, for example the command :

lsattr /bin/ls

gives

s---ia------- /bin/ls

How cand I use find command to list all files on system that have attributes set to s---ia------- instead of -------------?

user9517 · Accepted Answer · 2012-10-05T10:58:28.880

2

Find doesn't have any way of obtaining this information directly but you don't need to use it as lsattr has a -R switch so

lsattr -R /path/you/care/about 2>/dev/null | grep -- 's---ia-------'

should do what you want.

Note the -- to grep isn't required for your specific set of attributes but if for example you wanted to search for '----ia-------' then you would definitely need it.

edited Oct 05 '12 at 10:58

answered Oct 05 '12 at 10:05

user9517

114,104
20
206
289

Nehal Dattani · Answer 2 · 2012-10-05T10:31:55.183

1

Because you have mentioned about find, I am suggesting you to try following command

find / -type f -exec lsattr {} + | grep -v '\-\-\-\-\-\-\-\-\-\-\-\-\-'

Ideally, I'd prefer to use AIDE or tripwire

edited Oct 05 '12 at 10:31

answered Oct 05 '12 at 10:01

Nehal Dattani

581
2
10

Doesn't work: "missing argument to -exec". – Danijel Oct 05 '12 at 10:13
I have verified and it works on CentOS 5. I forgot to mention escape character for grep though. it should be | grep -v '\-\-......' – Nehal Dattani Oct 05 '12 at 10:19
You can use `--` to indicate that there are no more options – user9517 Oct 05 '12 at 10:28

How to use `list` to locate attributes changed to `s---ia-------`?

2 Answers2