Why did I need to recursively delete specific files you ask? Well, recently one of my clients websites was attacked by malware. As part of the attack the malware had added several files throughout the website file structure with a common filename or extension. I found that all the added files had a common .php5 extension. Looking through the file structure revealed a large number of files that needed removal. Some digging revealed a few linux command line shortcuts to speed up your malware recovery or just remove unwanted files. Putting find to work to remove the unwanted files with a single command.
Warning: These Commands Remove Files Permanently
Before using any of the following commands realize that they are going to delete your files. And as cool as I think they are I have no idea what your setup looks like. So before you run any of them, make sure you have a good, complete, current backup of your data.
Delete files with specific extensions
To remove all the files with a specific file extension, the following examples will set you up. This command will search from the current directory and delete all files with a php5 extension in all subdirectories.
find . -type f -name '*.php5' -delete
Or for clarities sake
find . -type f -name '*.[add your extension here]' -delete
Delete files with a specific filename
If it is a specific filename you are wanting to delete recursively just remove the ‘*.extension’ and replace it with the filename.
find . -type f -name '[insert filename here]' -delete
The following extension will delete all files named “debug.log” recursively through the current folder.
find . -type f -name 'debug.log' -delete
Or maybe you are wanting to delete all the access log files for a nginx from 2018.
find /var/log/nginx/ -type f -name 'access.log-2018*.log' -delete
Usually these commands do what I want. But sometimes I need a command that also has a timeframe
Delete files added within a specific timeframe
After removing all the files with a specific name or extension I decided I needed one more step. So I hunted for a way to find all the files added within the last week. The client discovered the attack just over a week since the last update.
The following command will delete any files beneath the current directory that have been modified within the last 24 hours.
find . -mtime -1 -delete
This command will delete any files beneath the current directory that have been modified within the last 48 hours.
find . -mtime +1 -delete
And this command will delete any files beneath the current directory that have been modified within the last 96 hours. Each additional number adds 24 hours to the check 4, 5, etc. With the first 24 hours implied.
find . -mtime +3 -delete
Combine the two for specific files within a specific timeframe
By combining the commands above you can delete any files ending in .log. Which also sit beneath the current directory that have been modified within the last 96 hours.
find . -mtime +3 -type f -name '*.log' -delete
Those commands saved me a ton of time, and got my client back up and running. Hopefully they can do the same for you.
Here are some of the resources that I used when researching this topic: