64BIT - The Collection

Bash - Timestomping Linux Files

This little Bash script allows you to timestomp a file by cloning the attributes of a random file in the current working directory.

This also timestomps the Change attribute, which is not typically done by attackers.  I've seen them change the Access and Modify time by using the touch command, but that always leaves the Change attribute intact, allowing for easy identification of a compromise date/time.

N.B. If no files exist in the CWD, then the script crashes!  You can fix that yourself.

 

  File: `timestomp.sh'
  Size: 159             Blocks: 8          IO Block: 4096   regular file
Device: 801h/2049d      Inode: 407590      Links: 1
Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2015-03-31 22:48:04.226057000 -0400
Modify: 2015-03-31 22:50:37.128000000 -0400
Change: 2015-03-31 22:50:37.128000000 -0400
 Birth: -

 

#!/bin/sh

var=`find . -type f | shuf -n1`
echo "$var"
new=`stat -c "%z" "$var"`
now=$(date)
sudo date --set="$new"
touch $1 -r "$var"
sudo date --set="$now"