Bash - Timestomping Linux Files
This little Bash script allows you to timestomp a file by cloning the attributes of a random file in the current working directory.
This also timestomps the Change attribute, which is not typically done by attackers. I've seen them change the Access and Modify time by using the touch command, but that always leaves the Change attribute intact, allowing for easy identification of a compromise date/time.
N.B. If no files exist in the CWD, then the script crashes! You can fix that yourself.
File: `timestomp.sh' Size: 159 Blocks: 8 IO Block: 4096 regular file Device: 801h/2049d Inode: 407590 Links: 1 Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2015-03-31 22:48:04.226057000 -0400 Modify: 2015-03-31 22:50:37.128000000 -0400 Change: 2015-03-31 22:50:37.128000000 -0400 Birth: -
#!/bin/sh var=`find . -type f | shuf -n1` echo "$var" new=`stat -c "%z" "$var"` now=$(date) sudo date --set="$new" touch $1 -r "$var" sudo date --set="$now"