How to restore and delete files in Linux

When a Linux computer is intruded, it is common to delete log files to mask attackers. Management errors may also lead to accidental deletion of important files. For example, when clearing old logs, the active transaction logs of the database are accidentally deleted. Sometimes you can use lsof to restore these files.

When a process opens a file, as long as the process persists, it opens the file, even if it is deleted, it still exists in the disk. This means that the process does not know that the file has been deleted, and it can still read and write the file descriptor provided to it when the file is opened. In addition to this process, this file is invisible because the corresponding Directory Index node has been deleted.

The/proc directory contains various files that reflect the kernel and process tree. The/proc directory is mounted to a region mapped in the memory. Therefore, these files and directories are not stored in the disk. Therefore, when we read and write these files, in fact, it is getting the relevant information from the memory. Most lsof-related information is stored in the directory named after the PID of the process, that is, the/proc/1234 contains information about the process whose PID is 1234. Each process directory contains various files, which allow applications to easily understand the memory space, file descriptor list, symbolic links to files on the disk, and other system information of the process. The lsof program uses this information and other information about the internal status of the kernel to generate its output. Therefore, lsof can display the file descriptor of a process and related file names. That is, we can find information about the file by accessing the file descriptor of the process.

When a file in the system is accidentally deleted, as long as there are other processes in the system accessing the file, we can use lsof to restore the file content from the/proc directory. If the/var/log/messages file is deleted due to misoperations, the methods for restoring the/var/log/messages file are as follows:

First, use lsof to check whether a process opens the/var/logmessages file, as shown below:

[root@station90 yum.repos.d]# lsof | grep /var/log/messagessyslogd   2699      root    1w      REG                8,2   480817     330592 /var/log/messages (deleted)

From the above information, we can see that the file descriptor of PID 2699 syslogd is 1. You can also see that/var/log/messages has been marked as deleted. Therefore, we can view the corresponding information in each file named by number under/proc/2699/fd/1 fd to indicate the file descriptor of the process:

[root@station90 fd]# pwd/proc/2699/fd[root@station90 fd]# cat 1 | head -n 5Jan 13 08:59:02 station90 syslogd 1.4.1: restart.Jan 13 10:44:22 station90 syslogd 1.4.1: restart.Jan 13 10:44:22 station90 kernel: klogd 1.4.1, log source = /proc/kmsg started.Jan 13 10:44:22 station90 kernel: Linux version 2.6.18-164.el5 (mockbuild@x86-003.build.bos.redhat.com) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-46)) #1 SMP Tue Aug 18 15:51:48 EDT 2009Jan 13 10:44:22 station90 kernel: Command line: ro root=LABEL=/ rhgb quiet

From the above information, you can view/proc/2699/fd/1 to obtain the data to be restored. If you can view the corresponding data through the file descriptor, you can use I/O redirection to copy it to the file, such:

cat /proc/2699/fd/1 > /var/log/messages

Before restoration, the/var/log/messages file is promptly updated.

For many applications, especially log files and databases, this method is very useful for restoring and deleting files.