a bit off topic, how to find encrytped files (ransom attack)

Uwe Brauer oub at mat.ucm.es
Thu Aug 11 12:48:48 CEST 2022 

>>> "JC" == Juergen Christoffel <jc.gnupg18a at unser.net> writes:

> On Fri, Aug 05, 2022 at 05:45:53PM +0200, Uwe Brauer via Gnupg-users wrote:
>> 1. just for the first very rough analysis what is a convenient command to get a list of files that have high entropy?

> The first step might be to install tripwire and only check files, which
> tripwire reports as changed. See "man tripwire" after installing it.


Thanks very much!
> Regarding your attempt to find candidate files:

>> find . -iname '*.*' -follow -print -exec ent {} \;

> Files don't need to have a dot in their name. But they might have unusual
> characters in their names instead. So you might actually want to use

> find -type f -print0 | xargs -0 ent


Well thanks again, but this does not work as expected.
I obtain 

,----
| Duplicate file name.
| ent --  Calculate entropy of file.  Call
|         with ent [options] [input-file]
| 
|         Options:   -b   Treat input as a stream of bits
|                    -c   Print occurrence counts
|                    -f   Fold upper to lower case letters
|                    -t   Terse output in CSV format
|                    -u   Print this message
| 
| By John Walker
|    http://www.fourmilab.ch/
|    January 28th, 2008
`----


And adding  and of these suggested options does not help

> Tip: "man find" and "man xargs" describe what those zeroes mean.


I try it.

>> So I am not sure what is the best line, but the question boils down to
>> this, anybody know enough sed or awk or whatsoever to tell me how ot filter the ent output?

> Gentle suggestion: you'd need to learn such basic usage yourself, before
> you rely on them as a tool. especially when attempting to secure your
> systems.

> Tips (for example):
> https://www.amazon.de/Learning-Perl-Making-Things-Possible/dp/1492094951 or
> https://www.amazon.de/Effective-awk-Programming-Universal-Processing/dp/1491904615

Thanks my encounters with perl were well unpleasant.

I might, again, try to understand awk better.

Uwe Brauer 

-- 
I strongly condemn Putin's war of aggression against the Ukraine.
I support to deliver weapons to Ukraine's military. 
I support the ban of Russia from SWIFT.
I support the EU membership of the Ukraine. 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5673 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20220811/a82bccf8/attachment.bin>

More information about the Gnupg-users mailing list