When a Linux computer is compromised, it is common for a log file to be deleted to mask the attacker's whereabouts. Administrative errors can also cause accidental deletion of important files, such as accidental deletion of the active transaction log of the database when the old log is cleaned up. Sometimes these files can be recovered by lsof.
When a process opens a file, it remains on disk as long as the process persists and the file is opened, even if it is deleted. This means that the process does not know that the file has been deleted, and it can still read and write to the file descriptor that was provided to it when the file was opened. In addition to the process, this file is not visible because its corresponding directory indexing node has been deleted.
In the/proc directory, it contains various files that reflect the kernel and the process tree. The/proc directory mounts an area that is mapped in memory, so these files and directories do not exist on disk, so when we read and write to these files, we actually get the relevant information from memory. Most lsof-related information is stored in the directory named by the process's PID, that is, the/proc/1234 contains information about the process with PID 1234. There are various files in each process directory that allow the application to simply understand the memory space of the process, file description characters, symbolic links to files on disk, and other system information. The LSOF program uses this information and other information about the internal state of the kernel to produce its output. So lsof can display information such as the file descriptor of the process and the associated file name. That is, we can find information about the file by accessing the file descriptor of the process.
When a file in the system is accidentally deleted, as long as there are processes in the system that are accessing the file, we can recover the contents of the file from the/proc directory by lsof. If the/var/log/messages file is deleted due to misoperation, then the method to restore the/var/log/messages file is as follows:
First use lsof to see if there is currently a process open/var/logmessages file, as follows:
| The code is as follows | Copy Code |
[Root@station90 yum.repos.d]# lsof | Grep/var/log/messages SYSLOGD 2699 Root 1w REG 8,2 480817 330592/var/log/messages (Deleted) |
|
From the above information you can see that the PID 2699 (SYSLOGD) Open file has a file descriptor of 1. You can also see that/var/log/messages has been marked for deletion. Therefore, we can view the corresponding information in the/PROC/2699/FD/1 (each of the digitally named files in the FD file descriptor), as follows:
| code is as follows | copy code |
| [Root@station90 fd]# pwd |
|
As you can see from the above information, you can see the/PROC/2699/FD/1 to get the data you want to recover. If you can view the data by using a file descriptor, you can use I/O redirection to copy it to a file, such as:
| The code is as follows | Copy Code |
CAT/PROC/2699/FD/1 >/var/log/messages |
|
Before the recovery, timely touch of the/var/log/messages file is also no problem
This method of recovering deleted files is useful for many applications, especially log files and databases.
Other methods Www.111cn.net
1, EXT2 file system structure of a simple introduction
In the Ext2 file system used by Linux, files are stored in blocks, and by default the size of each block is 1K, and different blocks are distinguished by block numbers. Each file also has a node that contains information such as file owners, read and write permissions, file types, and so on. For a file less than 12 blocks, the block number of the file data block is stored directly in the node. If the file is greater than 12 blocks, then the node stores a block number of an indirect block after 12 block numbers, in the block corresponding to this indirect block number, the block number of 256 file blocks is stored (each block number in the Ext2fs occupies 4 bytes, so that the block number that can be stored in a block is 1024/4=256). If there is a larger file, there will also be a level two indirect block and the * * Indirect block in the node.
2, restore the mistakenly deleted the document method
Most Linux distributions provide a DEBUGFS tool that you can use to edit the Ext2 file system. But before using this tool, there is still work to be done.
The partition in which the deleted file was mistakenly mounted is first reproduced in read-only mode. Use the following command: (assuming the file is in/usr partition)
Mount–r–n–o Remount/usr-r represents a read-only mount;-n means that the/etc/mtab is not written, and if the file on the/etc is restored, this argument is added. If the system says XXX partion busy, you can use the Fuser command to see which processes use the files on this partition:
| The code is as follows | Copy Code |
Fuser–v–m/usr |
|
If there are no important processes, use the command to stop them:
| The code is as follows | Copy Code |
Fuser-k–v–m/usr |
|
You can then mount the file systems again.
If you are installing all the files in one large/partition, you can use Linux single into Single-user mode at the boot prompt to minimize the chance that the system will write data to the hard disk, or simply hang the hard drive on another machine. In addition, the recovered data should not be written to/above to avoid damaging those useful data. If there are dos/windows on the machine, you can write to these partitions:
| The code is as follows | Copy Code |
Mount–r–n/dev/hda1/mnt/had |
|
Then you can perform DEBUGFS: (assuming Linux is/dev/hda5)
| The code is as follows | Copy Code |
#debugfs/dev/hda5 |
|
The Debugfs prompt Debugfs will appear:
Use the Lsdel command to list information for a number of deleted files:
| The code is as follows | Copy Code |
Word-wrap:break-word "bgcolor= #f3f3f3 > Debugfs:lsdel |
|
There are a lot of files listed (here are 2,692), the first field is the file node number, the second field is the file owner, the third field is read and write permissions, then the file size, the number of blocks, delete time.
Then you can judge the size of the file and the date of deletion to determine what we need. For example, we want to restore the node is 196829 files:
You can look at the file data status first:
| code is as follows | copy code |
| Debugfs:stat <196829> |
|
You can then recover the file with the dump command:
| The code is as follows | Copy Code |
Debugfs:dump <196829>/mnt/hda/01.sav |
|
This will restore the file. Exit Debugfs:
| The code is as follows | Copy Code |
Debugfs:quit |
|
Another way is to manually edit the Inode:
| code is as follows | copy code |
| Debugfs:mi <196829>
|
|
Each time you use the MI instruction to display one line of information for editing, the other rows can be confirmed by return directly, the deletion times to 0 (not deleted), Link count to 1. After the change, exit Debugfs:
| The code is as follows | Copy Code |
Debugfs:quit |
|
Then use fsck to check/dev/hda5
| The code is as follows | Copy Code |
Fsck/dev/hda5 |
|
The program says to find the missing block of data and put it in the lost+found. The files in this catalogue are what we want.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
