recover deleted files

Others 2022-04-22 20:01:43 views: 0

recover deleted files

When a Linux computer is compromised, it is common for log files to be deleted to cover the attacker's tracks. Management errors can also result in the accidental deletion of important files, such as accidentally deleting a database's active transaction log while cleaning up old logs. These files can sometimes be recovered by lsof. 


Under the /proc directory, there are various files that reflect the kernel and process tree. The /proc directory mounts an area mapped in memory, so these files and directories do not exist on disk, so when we read and write these files, we actually get them from memory Related Information. Most lsof-related information is stored in a directory named after the PID of the process, ie /proc/1234 contains information about the process with PID 1234. Various files exist in each process directory that allow applications to easily understand the process' memory space, file descriptor lists, symbolic links to files on disk, and other system information.


When a file in the system is accidentally deleted, as long as there are still processes accessing the file in the system at this time, then we can restore the contents of the file from the /proc directory through lsof. If the /var/log/messages file is deleted due to misoperation, then the method to restore the /var/log/messages file is as follows: 

First use lsof to see if there are currently processes opening the /var/logmessages file, as follows: 

# lsof | grep / var / log / messages

syslogd   1283      root    2w      REG        3,3  5381017    1773647 /var/log/messages (deleted)

From the above information, we can see that the file descriptor of the open file with PID 1283 (syslogd) is 2. You can also see that /var/log/messages has been marked for deletion. Therefore, we can view the corresponding information in /proc/1283/fd/2 (each number-named file under fd represents the file descriptor corresponding to the process), as follows: 

# head -n 10 /proc/1283/fd/2

Aug  4 13:50:15 holmes86 syslogd 1.4.1: restart.

Aug  4 13:50:15 holmes86 kernel: klogd 1.4.1, log source = /proc/kmsg started.

Aug  4 13:50:15 holmes86 kernel: Linux version 2.6.22.1-8 ([email protected]) (gcc version 4.2.0) #1 SMP Wed Jul 18 11:18:32 EDT 2007


As can be seen from the above information, the data to be recovered can be obtained by viewing /proc/8663/fd/15. If the corresponding data can be viewed through the file descriptor, then I/O redirection can be used to copy it to the file, such as: 

cat /proc/1283/fd/2 > /var/log/messages 

This method of undeleting files is useful for many applications, especially log files and databases.


Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=325242617&siteId=291194637
Recommended
Ranking
SpringBoot-integrate redis
[Sword pointing to offer] Interview question 03: Repeated numbers in an array
Arrangement "Offer Penalty for prove safety" string
Browser prevent the automatic generation of fill and Echo have been saved account solutions
Work hard and never slacken——2022 Yinmai Information Year-End Summary
Install jdk7 on Linux system
App common dependency management tools
EduCoder-Web程序设计基础-html5— 给表单组件添加说明-第1关:label标签相关概念
Machine learning - clustering - density clustering algorithm notes
Ant's large model is exposed, AI+ finance enters the "big model" era
Daily
More
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)

Code World

© 2018 codetd.com