How to Hide Linux File Timestamps with Shell Scripts: A Step‑by‑Step Guide

1 Introduction

Using shell scripts on Linux servers can control, destroy, or retrieve data; attackers may employ clever techniques to hide traces, and those traces can also be concealed with shell scripts.

Attack evidence often starts with file modification timestamps. Every file stores a modification time; administrators may notice recent changes as a sign of intrusion. However, timestamps can be forged; attackers can automate backup and restoration of timestamps with shell scripts.

2 Procedure

Step 1: View and Modify Timestamps

Linux provides tools like touch to create files or update their timestamps. touch file If the file exists, its modification time is set to the current time; wildcards can update many files at once. touch * Use stat to view detailed information.

stat file

List timestamps with ls -l.

ls -l

Set a custom timestamp with touch -d "2001-01-01 20:00:00" file and verify with ls -l file.

touch -d "2001-01-01 20:00:00" file

ls -l file

Step 2: Organize the Shell Script

The script should support three actions based on parameters:

No arguments – display an error message.

Save timestamps – write timestamps to a file.

Restore timestamps – read the file and reset timestamps.

Step 3: Create the Script File

Open nano and create timestamps.sh. nano timestamps.sh Insert the following header and argument check.

#!/bin/bash
if [ $# -eq 0 ]; then
    echo "Use -s (save) or -r (restore) parameter."
    exit 1
fi

Step 4: Save Timestamps to a File

When the -s flag is used, remove any existing timestamps file, list files with ls -l, and extract date fields using sed to produce a numeric month format.

rm -f timestamps
ls -l | sed 's/^.*Jan/01/p; s/^.*Feb/02/p; s/^.*Mar/03/p; s/^.*Apr/04/p; s/^.*May/05/p; s/^.*Jun/06/p; s/^.*Jul/07/p; s/^.*Aug/08/p; s/^.*Sep/09/p; s/^.*Oct/10/p; s/^.*Nov/11/p; s/^.*Dec/12/p'

Append the processed lines to the timestamps file.

do echo $x | ls -l | sed -n 's/^.*Jan/01/p; s/^.*Feb/02/p; s/^.*Mar/03/p; s/^.*Apr/04/p; s/^.*May/05/p; s/^.*Jun/06/p; s/^.*Jul/07/p; s/^.*Aug/08/p; s/^.*Sep/09/p; s/^.*Oct/10/p; s/^.*Nov/11/p; s/^.*Dec/12/p' >> timestamps

Test saving with ./timestamps.sh -s and view the file.

./timestamps.sh -s
cat timestamps

Step 5: Restore Original Timestamps

When the -r flag is used, read each line from timestamps, parse month, day, filename, and year, compute the current year if needed, and apply touch -d to reset the file.

cat timestamps | while read line; do
    MONTH=$(echo $line | cut -f1 -d' ')
    DAY=$(echo $line | cut -f2 -d' ')
    FILENAME=$(echo $line | cut -f4 -d' ')
    YEAR=$(echo $line | cut -f3 -d' ')
    # optional current year logic
    touch -d "$YEAR-$MONTH-$DAY 00:00" $FILENAME
done

Step 6: Use the Script

Typical commands: ./timestamps.sh -s – save timestamps. touch -d "2050-10-12 10:00:00" * – modify timestamps. ls -a – verify changes. ./timestamps.sh -r – restore original timestamps.

Run ls -a again to confirm that timestamps match the saved values.

3 Summary

The script helps erase traces left on a compromised server. Attackers must carefully choose methods to hide their activity, and administrators should be aware that timestamps and logs can be manipulated.

Understanding that timestamps can lie reminds sysadmins that many security measures may be forged, appearing normal even when an intrusion occurs.