How to use cron to list all the files in your website on a Linux server, and how to interpret the directory listing

This article provides step-by-step details for how to create a Linux cron job (crontab) that emails you a complete directory listing of your website files. This article is part of the series that begins at Website security: what to do after your site is hacked, and how to prevent it.

You might not have direct (shell) access to Linux on your webserver to create a directory listing, especially if you are on shared hosting, but you can create a cron job that will do it. It is the Linux equivalent of the MSDOS command dir /s.

It is a good idea to create a listing like this occasionally at times when the entire website is known-good. If at a later date you have reason to doubt the site's integrity, you can use your earlier known-good listing to help identify files that have been modified, added, deleted, or that have incorrect permission settings. 

1. Go to cPanel > Cron jobs > Standard.
2. (First, if you are doing this as part of a website compromise investigation, make sure any cron jobs that are displayed are ones you created. If you find unauthorized ones, copy the command lines and email addresses for later reference, and then delete the jobs.)
3. Enter the email address where you want the output from your cron job sent.
4. Enter the command line to run. The switches are case-sensitive, so use exactly this capitalization:
   ls -1aFlqR --full-time 
   Here it is in upper case to make the letters distinct, but this command is NOT the same as the one above. Don't use it: LS -1AFLQR.
   The switches, in order, say: one file per line; list all files, including hidden; append the object type indicators; use long format (detailed); print a "?" in place of any non-printable characters; recursively list contents of all subdirectories. --full-time forces all the timestamps to have the same consistent format, which is useful for comparing two listings (such as by database import); it also causes the timestamps to display nanoseconds, which is slightly more accuracy than we really need. There are descriptions of all the switches (flags) at http://www.ss64.com/bash/ls.html. 
5. Make selections in all the other fields to specify a time several minutes in the future.
6. Click "Save Crontab".
7. After it runs and you receive the email, go back to Cron Jobs > Standard and delete this job.

The email directory listing will contain lines that look like the following example showing a directory, a file, and a Perl script:

drwxr-x--- 33 user group  4096 2009-01-02 19:24:35.000000000 -0500 public_html/
-rw-r--r--  1 user group 16669 2009-01-02 19:24:35.000000000 -0500 index.htm
-rwxr-xr-x  1 user group 67400 2009-01-02 19:24:35.000000000 -0500 script.pl*

A brief explanation of the color-coded elements:

• d indicates a directory. "-" at this location indicates a file. "l" (lower case "L", no example shown) indicates a link (symlink, shortcut).
• The trailing slash (/) also indicates a directory. "*" at this location indicates an executable program.
• The 3 groups of rwx are permissions for User, Group, World, in that order.
  r, w, x stands for Read, Write, eXecute. (Execute is only meaningful for programs and directories. It gives the user permission to run the program, or to enter the directory.) A letter in any position indicates that the user has that permission. A hyphen indicates that the user is denied that permission.
• The 33 is the number of links to this object in the disk's filesystem, of no interest for our purposes.
• The user and group fields show the file's individual and group owners. They should be only your hosting account userID, or some other ones that are obvious system names, and occasionally "nobody". A file owned by nobody is of special interest because it was created by a program or script; it might be legitimate, but it can indicate it was created by a malicious PHP script. 
• The numbers are file sizes.
• The timestamps are timestamps.

Walkthrough of the above examples:

public_html:

• public_html is a directory (the two indicators in yellow)
• The User (owner, me) can read, write, or "execute" (enter) that folder because there are letters at each of "rwx".
• Members of the Group that owns the folder can read or enter the folder but cannot Write to it because there is a hyphen where the w would be (r-x). If I am a member of the Group, I can write to it because the permissions are determined by the most specific level that applies to the particular person, and I am User, which is more specific than Group. 
• The World (all the other user accounts on the same computer; sometimes referred to as "other" rather than "world") has no permissions because all positions are hyphens ("---").

index.htm:

• index.htm, the home page, is just a file: (no "d" or "/" or "l" or "*" indicators)
• User can Read or Write (rw-). No "x" because it's not a folder or executable program.
• To everyone else (Group and World), the file is Read-only (r--).

script.pl:

• script.pl (a Perl script) is an executable program (*)
• User has full permissions (rwx).
• Group and World have Read and eXecute permissions (r-x), which means they are allowed to call and run it but not modify it, which is normal for a publicly accessible Perl script.

Numeric permissions notation

There is another, numeric, way to notate permissions that is used in some contexts other than directory listings such as the one above, and it is useful to know how to translate between the two.

The permissions for one user are expressed by a single digit. Each permission (r, w, or x) has a numeric value, and the single digit is the sum of the values of the permissions that the user has. The permissions values are:

r has a value of 4
w has a value of 2
x has a value of 1
- has a value of 0

Examples of converting "rwx" values to single digits:

rwx = 4 + 2 + 1 = 7
rw- = 4 + 2 + 0 = 6
r-x = 4 + 0 + 1 = 5
r-- = 4 + 0 + 0 = 4

Each folder and file has a composite numeric permission consisting of three digits, one for each of User, Group, and World, in the same order as the directory listing above.

Thus, the numeric permissions for the three examples are:

              UGW
public_html = 750
index.htm   = 644
script.pl   = 755

Questions and comments are welcome in the discussion forum.