How to use cron to list all the files in your website on a Linux server, and how to interpret the directory listing
This article provides step-by-step details for how to create a Linux cron job (crontab) that emails you a complete
directory listing of your website files. This article is part of the series that begins at Website security: what to do after your site is hacked, and how to prevent it.
You might not have direct (shell) access to Linux on your webserver to create a
directory listing, especially if you are on shared hosting, but you can create a cron job that will do it. It is the Linux equivalent of the MSDOS command dir /s.
It is a good idea to create a listing like this occasionally at times when the entire website is known-good. If at a later date
you have reason to doubt the site's integrity, you can use your earlier known-good listing to help identify files that have been
modified, added, deleted, or that have incorrect permission settings.
- Go to cPanel > Cron jobs > Standard.
- (First, if you are doing this as part of a website compromise investigation, make sure
any cron jobs that are displayed are ones you created. If you find unauthorized ones, copy the command lines and email
addresses for later reference, and then delete the jobs.)
- Enter the email address
where you want the
output from your cron job sent.
- Enter the command line to run.
The switches are case-sensitive, so use exactly this capitalization:
ls -1aFlqR --full-time
Here it is in upper case to make the letters distinct, but this command is
NOT the same as the one above. Don't use it: LS -1AFLQR.
The switches, in order, say: one file per line; list all files, including hidden; append the object type indicators; use long
format (detailed); print a "?" in place of any non-printable characters; recursively list contents of all subdirectories.
--full-time forces all the timestamps to have the same consistent format, which is useful for comparing two listings (such as
by database import); it also causes the timestamps to display nanoseconds, which is slightly more accuracy than we really
need. There are descriptions of all the switches (flags) at
- Make selections in all the
other fields to specify a time several minutes in the future.
- Click "Save
- After it runs and you receive the email, go back to Cron
Jobs > Standard and delete this job.
The email directory listing will contain lines that look like the following
example showing a directory, a file, and a Perl script:
4096 2009-01-02 19:24:35.000000000 -0500
-rw-r--r-- 1 user group 16669 2009-01-02 19:24:35.000000000 -0500 index.htm
-rwxr-xr-x 1 user group 67400 2009-01-02 19:24:35.000000000 -0500 script.pl*
A brief explanation of the color-coded elements:
- d indicates a directory. "-" at this location indicates a
file. "l" (lower case "L", no example shown) indicates a link (symlink, shortcut).
- The trailing slash (/) also indicates a directory. "*" at this
location indicates an executable program.
- The 3 groups of rwx are permissions for User, Group,
World, in that order.
r, w, x stands for Read, Write, eXecute. (Execute is only meaningful for
programs and directories. It gives the user permission to run the program, or
to enter the directory.) A letter in any position indicates that the user has that permission. A hyphen indicates that the
user is denied that permission.
- The 33 is the number of links to this object in the disk's filesystem, of
no interest for our purposes.
- The user and group fields show
the file's individual and group owners. They should be only your hosting account userID, or some
other ones that are obvious system names, and occasionally "nobody". A file owned by nobody is of special interest because it was
created by a program or script; it might be legitimate, but it can indicate it was created by a malicious PHP script.
- The numbers are file sizes.
- The timestamps are timestamps.
Walkthrough of the above examples:
- public_html is a directory (the two indicators in yellow)
- The User (owner, me) can read, write, or "execute" (enter) that folder because there are letters at each of
- Members of the Group that owns the folder can read or enter the folder but cannot Write to it because there is a hyphen
where the w would be (r-x). If I am a member of the Group, I can write to it because the permissions are determined by the most
specific level that applies to the particular person, and I am User, which is more specific than Group.
- The World (all the other user accounts on the same computer; sometimes referred to as "other" rather than "world") has no
permissions because all positions are hyphens ("---").
- index.htm, the home page, is just a file: (no "d" or "/"
or "l" or "*" indicators)
- User can Read or Write (rw-). No "x" because it's not a folder or executable program.
- To everyone else (Group and World), the file is Read-only
- script.pl (a Perl script) is an executable program (*)
- User has full permissions (rwx).
- Group and World have Read and eXecute permissions (r-x), which means they are allowed to call and run it but not modify
it, which is normal for a publicly accessible Perl script.
Numeric permissions notation
There is another, numeric, way to notate permissions that is used in some contexts other than directory listings such as the
one above, and it is useful to know how to translate between the two.
The permissions for one user are expressed by a single digit. Each permission (r, w, or x) has a numeric value, and the single
digit is the sum of the values of the permissions that the user has. The permissions values are:
r has a value of 4
w has a value of 2
x has a value of 1
- has a value of 0
Examples of converting "rwx" values to single digits:
rwx = 4 + 2 + 1 = 7
rw- = 4 + 2 + 0 = 6
r-x = 4 + 0 + 1 = 5
r-- = 4 + 0 + 0 = 4
Each folder and file has a composite numeric permission consisting of three digits, one for each of User, Group, and World, in
the same order as the directory listing above.
Thus, the numeric permissions for the three examples are:
public_html = 750
index.htm = 644
script.pl = 755
Questions and comments are welcome in the