I have three questions related to the "ctime" information of a file. They are in bold (if you don't have time you can jump directly to them).
A website on my dedicated server has been hacked. Lots of files have been edited. I noticed that some hackers were clever enough to reset the mtime (some not).
atime and mtime can be changed with PHP functions. ctime can also be changed by using the chmod function. But ctime is handled by the kernel, so it's only possible to set it to the current system date/time. It's impossible to set it back to the past.
I found some backdoors whose mtime had been reset to the ctime (date in the past, like 1 or 2 years ago), so that I can't find it using recursive search tool based on that information.
The key to be able do find quickly all infested files is of course the ctime information. The problem is that I didn't think of it at first, so I first "chmoded" recursively all the files so that the website itself doesn't have write permissions anymore. In doing this, I lost the precious ctime information.
I have lots of backups, in form of .tar.gz files. I want to know if there is a way to extract from the tar.gz file the ctime of the files of the moment they were added the the tar.
I read the whole GNU tar documentation, and found out that the "GNU" format of tar (which is the default used by my Linux server) stores the ctime of its archived files. I tried following way to extract it:
tar -zxf Friday.tar.gz --to-command=./script
./script is a bash script and looks like this:
#!/bin/bash
echo $TAR_CTIME
The problem is that this gives the current date and time, maybe because tar gives out the informations of the file it would itself create if I hadn't used --to-command
If tar cannot handle this, is there backup tools which can keep original ctime information?
How to list every file whose mtime and ctime differ? I read the find manual but only found out the -newerXY
, which (if I understand well), can only compare a ctime with a ctime, a mtime with a mtime, etc. Is there a way to compare a ctime and a mtime of the same file?
Have you considered using tar compare option to see which files are changed? This should give you a quick list of candidates.
ctime is controlled by kernel, not any userspace tool, tar or any other program, because to back up and restore, they have to create a new inode which must have a new ctime. one known way to preserve it is to image your filesystem to a loopback file, and save that image. unless your filesystem is quite full and you do want to save the whole thing, it is quite wasteful.
there are more efficient programs such as partimage, but i have not checked if they preserve ctime of inodes.
star with exustar format (tar with POSIX.1-2001 extended headers) stores all 3 timestamps:
and under certain conditions they can be restored. Or more or less roughly extracted (like above).