a bit off topic, how to find encrytped files (ransom attack)
Juergen Christoffel
jc.gnupg18a at unser.net
Tue Aug 9 12:30:58 CEST 2022
On Fri, Aug 05, 2022 at 05:45:53PM +0200, Uwe Brauer via Gnupg-users wrote:
> 1. just for the first very rough analysis what is a convenient command to get a list of files that have high entropy?
The first step might be to install tripwire and only check files, which
tripwire reports as changed. See "man tripwire" after installing it.
Regarding your attempt to find candidate files:
>find . -iname '*.*' -follow -print -exec ent {} \;
Files don't need to have a dot in their name. But they might have unusual
characters in their names instead. So you might actually want to use
find -type f -print0 | xargs -0 ent
Tip: "man find" and "man xargs" describe what those zeroes mean.
>So I am not sure what is the best line, but the question boils down to
>this, anybody know enough sed or awk or whatsoever to tell me how ot filter the ent output?
Gentle suggestion: you'd need to learn such basic usage yourself, before
you rely on them as a tool. especially when attempting to secure your
systems.
Tips (for example):
https://www.amazon.de/Learning-Perl-Making-Things-Possible/dp/1492094951 or
https://www.amazon.de/Effective-awk-Programming-Universal-Processing/dp/1491904615
Regards, JC
--
Experience is the worst teacher. It always gives the test first and the
instruction afterward.
More information about the Gnupg-users
mailing list