Unexpected file changes can reveal misconfiguration, broken deployments, or an intrusion that replaces binaries or edits security-critical settings.
Linux tracks multiple timestamps per file, including mtime (content changes) and ctime (metadata changes like ownership or permissions), and the find command can filter directories by these timestamps to narrow results to a recent window.
Large scans can be slow or noisy due to permission errors and pseudo filesystems (/proc, /sys), so prioritizing high-signal paths such as /etc, /boot, /usr/bin, /usr/sbin typically produces more useful leads than sweeping the entire filesystem first.
$ whoami root
Commands use sudo when scanning system directories that are not readable by normal users.
$ sudo find /etc /boot /usr/bin /usr/sbin -type f -mtime -1 -printf '%T+ %p\n' 2>/dev/null | sort -r | head -n 10 2026-01-10+19:51:55.6040000770 /usr/bin/new-helper 2026-01-10+19:51:55.6040000770 /etc/sgdemo 2026-01-10+19:51:31.0150000650 /etc/hosts 2026-01-10+19:51:31.0100000650 /etc/fstab 2026-01-10+19:51:17.0430000580 /etc/subuid 2026-01-10+19:51:17.0430000580 /etc/subgid 2026-01-10+19:51:17.0420000580 /etc/gshadow 2026-01-10+19:51:17.0410000580 /etc/group 2026-01-10+19:51:17.0400000580 /etc/shadow 2026-01-10+19:51:17.0400000580 /etc/passwd
Adjust the window with -mtime (days), -mmin (minutes), or use -newermt with an explicit timestamp for incident timelines.
$ sudo find /etc -type f -ctime -1 -printf '%C+ %p\n' 2>/dev/null | sort -r | head -n 10 2026-01-10+19:51:55.6040000770 /etc/sgdemo 2026-01-10+19:51:31.0150000650 /etc/hosts 2026-01-10+19:51:31.0100000650 /etc/fstab 2026-01-10+19:51:17.0440000580 /etc/subgid 2026-01-10+19:51:17.0430000580 /etc/subuid- 2026-01-10+19:51:17.0430000580 /etc/subuid 2026-01-10+19:51:17.0430000580 /etc/subgid- 2026-01-10+19:51:17.0420000580 /etc/gshadow- 2026-01-10+19:51:17.0420000580 /etc/gshadow 2026-01-10+19:51:17.0420000580 /etc/group
-ctime reports metadata changes, so it can surface chmod/chown activity even when -mtime does not move.
$ sudo find /home -type f -mtime -1 -not -path '*/.cache/*' -not -path '*/.local/share/Trash/*' -printf '%T+ %p\n' 2>/dev/null | sort -r | head -n 10 2026-01-10+19:51:30.6080000650 /home/user/.ssh/authorized_keys 2026-01-10+19:51:17.0580000580 /home/user/sg-work/recent.txt
Replacing /home with a specific user directory reduces noise on multi-user hosts.
$ sudo find /tmp /var/tmp /dev/shm -type f -mtime -1 -perm /111 -printf '%T+ %M %u:%g %p\n' 2>/dev/null | sort -r | head -n 10 2026-01-10+19:51:55.6040000770 -rwxr-xr-x root:root /tmp/sg-run.sh
Executing unknown files from writable directories can compromise the system further, so treat results as artifacts for review rather than programs to run.
$ sudo find / $begin:math:text$ \-path \/proc \-o \-path \/sys \-o \-path \/dev \-o \-path \/run $end:math:text$ -prune -o -type f $begin:math:text$ \-perm \-4000 \-o \-perm \-2000 $end:math:text$ -mtime -7 -printf '%T+ %M %u:%g %p\n' 2>/dev/null | sort -r | head -n 20 2026-01-10+19:59:13.9430000480 -rwsr-xr-x root:root /usr/local/bin/sg-suid-demo
Adding -xdev limits traversal across mount points, but it can miss binaries stored on separate filesystems.
$ sudo stat /usr/bin/new-helper File: /usr/bin/new-helper Size: 0 Blocks: 0 IO Block: 4096 regular empty file Device: 252,0 Inode: 1091319 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2026-01-10 19:51:55.604000077 +0800 Modify: 2026-01-10 19:51:55.604000077 +0800 Change: 2026-01-10 19:51:55.604000077 +0800 Birth: 2026-01-10 19:51:55.604000077 +0800
Replace /usr/bin/new-helper with the suspicious path.
$ sudo sha256sum /usr/bin/new-helper e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 /usr/bin/new-helper
A saved hash supports later comparison against a known-good copy or other hosts.