Method of restoring deleted log using lsof command after Linux system is invaded

Linux system is the most common operating system of the server, but also face a lot of security incidents, compared with the Windows operating system, Linux has a clear access control and comprehensive management tools, with very high security and stability. After the Linux system was invaded, the attackers often cleaned out the various logs in the system, including access and error log, last log, message log, secure log, etc, which brought a lot of resistance to our later emergency response and forensics analysis. Therefore, the recovery of the cleared log is a very important forensics and analysis link, which is a case of using the lsof command to recover log files, and is useful for common log recovery work.

First, the premise condition

You cannot shut down the server, or shut down related services or processes, such as restoring Apache access log/var/log/httpd/access_log, not shutting down or restarting the server system, or restarting the HTTPD service.

II. process of implementation

1. Find the relevant process PID

The code is as follows:

[Root@localhost ~]# lsof | grep access_log

httpd 1392 root 7w REG 253,0 0 263802/var/log/httpd/access_log

httpd 7330 Apache 7w REG 253,0 0 263802/var/log/httpd/access_log

httpd 7331 Apache 7w REG 253,0 0 263802/var/log/httpd/access_log

httpd 7332 Apache 7w REG 253,0 0 263802/var/log/httpd/access_log

httpd 7333 Apache 7w REG 253,0 0 263802/var/log/httpd/access_log

httpd 7334 Apache 7w REG 253,0 0 263802/var/log/httpd/access_log

httpd 7335 Apache 7w REG 253,0 0 263802/var/log/httpd/access_log

httpd 7336 Apache 7w REG 253,0 0 263802/var/log/httpd/access_log

httpd 7337 Apache 7w REG 253,0 0 263802/var/log/httpd/access_log

Here we focus on the first, second, third, fourth column, respectively, the process name, PID, user, file descriptor, we see the file descriptor here is 7w, so we in the next procedure to remember this 7.

2. Retrieve the Log

The code is as follows:

[Root@localhost ~]# wc-l/PROC/1392/FD/7

55/proc/1392/fd/7

[Root@localhost ~]# CAT/PROC/1392/FD/7 >/var/log/httpd/access_log

We first view the log information through the WC or tail command, and then rewrite the log to the Access_log.

Third, summary

The directory and name of the process are stored under the/proc partition of the Linux system, containing the FD (file descriptor) and the subdirectory under it (the link to the process open file), and if a file is deleted, there is also a reference to the Inode:/proc/process number/fd/file descriptor. All we need to know is that the process PID and file descriptor FD for the currently open file can use the Lsof tool to list the files that the process opens. Through lsof we can do simple file recovery work, of course, this is not limited to log files, as long as there are references to the file.