BestHub
Sign in
Information Security 9 min read

Hide Linux Server Traces by Automating Timestamp Manipulation with Shell Scripts

This guide explains how attackers can use shell scripts on a Linux server to modify, backup, and restore file timestamps—masking their activity—by leveraging tools like touch, stat, ls, and custom Bash scripts that automate the entire process.

MaGe Linux Operations
MaGe Linux Operations
MaGe Linux Operations
Hide Linux Server Traces by Automating Timestamp Manipulation with Shell Scripts

Overview

Linux file systems store modification timestamps for every file. While these timestamps can reveal unauthorized changes, they can also be forged using shell scripts, allowing attackers to hide their footprints.

Step 1: View and Modify Timestamps

The touch command creates a new file or updates an existing file's modification time. Examples: touch file Using a wildcard updates all files in the current directory: touch * The stat command displays detailed file information, including timestamps: stat file Listing files with ls -l shows timestamps; adding -l provides a long format.

Step 2: Organize the Shell Script

The script accepts parameters to either save timestamps ( -s) or restore them ( -r). Without parameters it prints an error message.

#!/bin/bash
if [ $# -eq 0 ]; then
  echo "Use -s to save or -r to restore"
  exit 1
fi

Step 3: Create the Script File

Open a new file named timestamps.sh with nano and make it executable:

nano timestamps.sh
chmod +x timestamps.sh

Step 4: Save Timestamps to a File

When the -s flag is used, the script records each file’s date, month, day, year, and name, converting month names to numbers with sed and appending the result to a file called timestamps:

ls -l file | sed -n 's/^.*Jan/01/p; ... ;' >> timestamps

Step 5: Restore Original Timestamps

With the -r flag, the script reads the saved entries, extracts year, month, day, and filename, and uses touch -d to reset each file’s timestamp. It also handles cases where the year is omitted by inserting the current year obtained via cal.

if [ $YEAR == *:* ]; then
  touch -d "$CURRENTYEAR-$MONTH-$DAY $YEAR:00" $FILENAME
else
  touch -d "$YEAR-$MONTH-$DAY" $FILENAME
fi

Step 6: Use the Script

Typical commands:

./timestamps.sh -s   # Save timestamps
./timestamps.sh -r   # Restore timestamps
ls -a                # Verify changes

Conclusion

The script demonstrates how timestamps can be falsified, reminding system administrators that logs and file metadata are not immutable and can be manipulated by skilled attackers.

Source: FreeBuf.COM, author JingleCats
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

AutomationForensicsTimestamp manipulation
MaGe Linux Operations
Written by

MaGe Linux Operations

Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment