With the recent advent of a possible Mac OS X virus (or trojan, depending on who you ask) many OS X users are wondering how safe they really are. Those "infected" by the so called virus are currently clueless as to what the virus has really done. Luckily, UNIX has a tool that may help find it.
The du command (disk usage) is capable of printing out a list of all the files on your Mac. Redirecting its output, you basically have a giant log of all of your files at any given time. If you do this on a regular basis, and compare the old with the new, you suddenly can see what has changed (ie: where is a virus?).
So, do this, I whipped up a little shell script. Note that I am not great with scripts, but I have tested this, and it works for me (on at least 10.4). Make a script called duscript.sh, and save it in your Home directory. This is the script:
#!/bin/sh
cd /
du > ~/duLog-`date +%Y%m%d` &
Make sure to make the file executable by typing chmod +x duscript.sh. Then, add the file to cron. I used CronniX to do this.
Instead of simply logging every file on your system, you can create a log that shows only modified (as in changed, or brand new) files. Here's the basic idea in a script:
#!/bin/sh
cd /
sudo find . -type f -mtime -1 > ~/Desktop/ModFiles-`date +%Y%m%d`.txt
The above command will search from the top-level directory down (find .), looking for files (-type f) that have been modified in the last day (-mtime -1). It then writes that list of files out to a datestamped file on your desktop. The end result is a much smaller file, and one that doesn't need to be compared with anything. Instead, you can just scan it for suspicious activity.
Mac OS X Hints
http://hints.macworld.com/article.php?story=20060216144837950