Looking for strings of text in thousands of files at one time on a Mac can usually be accomplished using a simple "Find" function in a program such as BBedit. This method becomes problematic when you want to search for text strings within hidden files or files with restricted permissions such as config files in the hidden directories like /private or /usr.

Why would someone want to look in these folders? We for example recently had problems with our DNS changing hostnames without our knowledge and wanted to track down how this was happening. Because we knew the hostname was changing from powerbookG4.local to gmail.local we simply wanted to search for all system config files that might contain the text string "gmail".

After much searching and educating ourselves we found a simple solution using the command "grep" and Mac OS X's command line tool, Terminal.app. Because the text string "gmail" could appear in lots of files that might contain a gmail email address such as  myemail@gmail.com we made use of Regular Expressions to exclude text strings that would be email addresses and would thus give us false positives.

Here is the solution:

1. Open Terminal.app

2. change to root access by typing at the prompt # su root

Last login: Mon Apr  1 14:22:31 on console

powerbookG4:~ user$ su root

3. Enter your password when prompted

Password:

4. Navigate to the directory of files that you want to search using the cd command.

5. Enter the grep command to search for the appropriate text string: grep -irl '[^(@|o|n)]gmail[^(\.com)]' *

sh-3.2# grep -irl '[^(@|o|n)]gmail[^(\.com)]' *

I won't get into all the details of how grep works but the flags we used were -i (for case insensitive) -r (to search all files within the directory recursively) and -l (to list all the results). The next section is the regular expression of the text string you want to search for. Lastly the wildcard * just means to search in all files. If you wanted to only search in html files for example you could use *.html.

We used the regular expressions such as ^ to exclude any gmail email addresses and only find files where "gmail" occurred and exclude any strings such as xxxx@gmail.com.

After grep runs it will list all the files that contain your text string. Example list of files below.

var/log/asl/2010.04.04.U501.asl
var/log/asl/LongTTL.asl
var/log/daily.out
var/log/install.log
var/log/krb5kdc/kdc.log
var/log/samba/log.nmbd
var/log/secure.log
var/log/system.log

This method can be very useful if for example you know a certain virus string and are trying to find all the files on your system that have been affected by the virus string. An example of this would be for instance last summer's iframe injection trojans.