Chinaunix首页 | 论坛 | 博客
  • 博客访问: 145229
  • 博文数量: 68
  • 博客积分: 10
  • 博客等级: 民兵
  • 技术积分: 720
  • 用 户 组: 普通用户
  • 注册时间: 2011-02-28 20:01
文章分类

全部博文(68)

文章存档

2015年(68)

我的朋友

分类: 系统运维

2015-08-31 19:44:00

一、利用FD恢复

FD文件描述符是一个索引值,指向内核为每一个进程所维护的该进程打开文件的记录表。当程序打开一个现有文件或者创建一个新文件时,内核向进程返回一个文件描述符,linux的话fd一般位于"/proc/进程ID/fd"。如果被删除的文件正被某一进程打开,那么这种情况的恢复最为简单,只要通过FD来恢复就行。

示例:运行当中的apache访问日志被删

[root@localhost]# wc -l /etc/httpd/logs/access_log

0/etc/httpd/logs/access_log

[root@localhost]#lsof /etc/httpd/logs/access_log

COMMAND  PID  USER   FD   TYPE DEVICE SIZE   NODE NAME

httpd   4888  root   12w   REG 253,0    0 555517 /etc/httpd/../../var/log/httpd/access_log

 

访问1次后的记录数:

[root@localhostlogs]# wc -l /etc/httpd/logs/access_log

3/etc/httpd/logs/access_log

[root@localhost~]# echo "after rm" >> /etc/httpd/logs/access_log

删除:

[root@localhostlogs]# rm -f /etc/httpd/logs/access_log

[root@localhostlogs]# ls /etc/httpd/logs/access_log

ls:/etc/httpd/logs/access_log: 没有那个文件或目录

 

1次访问apache

恢复:

root@localhost~]# ll /proc/4888/fd

总计 0

lr-x------1 root root 64 05-09 02:48 0 -> /dev/null

l-wx------1 root root 64 05-09 02:48 1 -> /dev/null

l-wx------1 root root 64 05-09 02:48 10 -> /var/log/httpd/error_log

l-wx------1 root root 64 05-09 02:48 11 -> /var/log/httpd/ssl_error_log

l-wx------1 root root 64 05-09 02:48 12 -> /var/log/httpd/access_log (deleted)

l-wx------1 root root 64 05-09 02:48 13 -> /var/log/httpd/ssl_access_log

l-wx------1 root root 64 05-09 02:48 14 -> /var/log/httpd/ssl_request_log

l-wx------1 root root 64 05-09 02:48 2 -> /var/log/httpd/error_log

lr-x------1 root root 64 05-09 02:48 3 -> /dev/urandom

lrwx------1 root root 64 05-09 02:48 4 -> socket:[16633]

lrwx------1 root root 64 05-09 02:48 5 -> socket:[16634]

lrwx------1 root root 64 05-09 02:48 6 -> socket:[16638]

lrwx------1 root root 64 05-09 02:48 7 -> socket:[16639]

lr-x------1 root root 64 05-09 02:48 8 -> pipe:[16659]

l-wx------1 root root 64 05-09 02:48 9 -> pipe:[16659]

[root@localhost~]#

[root@localhost~]# cp /proc/4888/fd/12 httpd_accesslog

[root@localhost~]# wc -l httpd_accesslog

7 httpd_accesslog

可以看到删除后的访问记录也可以恢复

 

二、使用恢复工具

2.1 ext3grep

安装很简单,我用rhel5.4来测,直接用yum安装。

 

[root@localhost~]#mkfs.ext3 /dev/sdb1

[root@localhost~]#mount /dev/sdb1 /data

 

[root@localhost~]# cp extundelete-0.2.3.tar.bz2 /data

[root@localhost~]# cp extundelete-0.2.4.tar.gz  /data

[root@localhost~]# cp extundelete-0.2.4.tar.bz2 /data

[root@localhost~]# rm /data/*.bz2

[root@localhost~]# rm /data/*.gz

 

恢复:

umount分区

[root@localhost~]# umount /data

 

查看分区文件列表:

[root@localhost~]# ext3grep --ls --inode 2 /dev/sdb1

Runningext3grep version 0.10.2

WARNING:I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is.

Number ofgroups: 40

Loadinggroup metadata... done

Minimum /maximum journal block: 841 / 34478

Loadingjournal descriptors... sorting... done

Theoldest inode block that is still in the journal, appears to be from 1398895997= Thu May  1 06:13:17 2014

Number ofdescriptors in journal: 38; min / max sequence numbers: 2 / 10

Inode isAllocated

Loadingsdb1.ext3grep.stage2... done

The firstblock of the directory is 835.

Inode 2is directory "".

Directoryblock 835:

          .-- File type in dir_entry (r=regularfile, d=directory, l=symlink)

          |          .-- D: Deleted ; R: Reallocated

Indx Next|  Inode  | Deletion time                       Mode        File name

==========+==========+----------------data-from-inode------+-----------+=========

   0    1d       2                                        drwxr-xr-x  .

   1    2d       2                                        drwxr-xr-x  ..

   2  endd      11                                        drwx------  lost+found

   3    4r   49153 D 1398898164 Thu May  1 06:49:242014  rrw-r--r--  extundelete-0.2.3.tar.bz2

   4  endr   49154 D 1398898164 Thu May  1 06:49:242014  rrw-r--r--  extundelete-0.2.4.tar.gz

   5  endr   49155 D 1398898164 Thu May  1 06:49:242014  rrw-r--r--  extundelete-0.2.4.tar.bz2

 

标记为"D" 的为被删掉的文件。

 

恢复文件:

 

[root@localhost~]# ext3grep --restore-all /dev/sdb1

Runningext3grep version 0.10.2

WARNING:I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is.

Number ofgroups: 40

Minimum /maximum journal block: 841 / 34478

Loadingjournal descriptors... sorting... done

Theoldest inode block that is still in the journal, appears to be from 1398895997= Thu May  1 06:13:17 2014

Number ofdescriptors in journal: 38; min / max sequence numbers: 2 / 10

Loadingsdb1.ext3grep.stage2... done

Restoringextundelete-0.2.3.tar.bz2

Restoringextundelete-0.2.4.tar.bz2

Restoringextundelete-0.2.4.tar.gz

 

ex3grep恢复时会在当前目录创建一个名为RESTORED_FILES的目录用于存放恢复的数据

[root@localhost~]# ll RESTORED_FILES/

总计 956

-rw-r--r--1 root root 108691 05-01 06:13 extundelete-0.2.3.tar.bz2

-rw-r--r--1 root root 108472 05-01 06:13 extundelete-0.2.4.tar.bz2

-rw-r--r--1 root root 722298 05-01 06:13 extundelete-0.2.4.tar.gz

drwx------2 root root   4096 05-01 06:10 lost+found

 

[root@localhost~]# cd RESTORED_FILES/

[root@localhostRESTORED_FILES]# ls

extundelete-0.2.3.tar.bz2  extundelete-0.2.4.tar.bz2  extundelete-0.2.4.tar.gz  lost+found

[root@localhostRESTORED_FILES]# tar jxvf extundelete-0.2.3.tar.bz2

extundelete-0.2.3/

extundelete-0.2.3/acinclude.m4

extundelete-0.2.3/missing

extundelete-0.2.3/autogen.sh

extundelete-0.2.3/aclocal.m4

extundelete-0.2.3/configure

......

 

2.2 extundelete

extundelete支持ext3ext4文件系统

安装:

[root@localhost~]# yum search e2fsprogs e2fsprogs-devel

[root@localhost~]# tar jxvf extundelete-0.2.4.tar.bz2

[root@localhost~]# cd extundelete-0.2.4

[root@localhostextundelete-0.2.4]# ./configure --prefix=/opt/undelete

Configuringextundelete 0.2.4

Writinggenerated files to disk

[root@localhostextundelete-0.2.4]# make

make -sall-recursive

Makingall in src

extundelete.cc:105:警告:未使用的参数 ret_flags

extundelete.cc:571:警告:未使用的参数 flags

block.c:In function ‘extundelete_block_iterate3’:

block.c:840:警告:标号 errout 定义后未使用

block.c:620:警告:未使用的变量 r

 

上面的警告不影响使用

[root@localhostextundelete-0.2.4]# make install

 

恢复:

[root@localhost~]# /opt/undelete/bin/extundelete --inode 2 /dev/sdb1

NOTICE:Extended attributes are not restored.

Loadingfilesystem metadata ... 40 groups loaded.

Group: 0

Contentsof inode 2:

0000 | ed41 00 00 00 10 00 00 35 87 61 53 35 87 61 53 | .A......5.aS5.aS

0010 | 3587 61 53 00 00 00 00 00 00 02 00 08 00 00 00 | 5.aS............

0020 | 0000 00 00 00 00 00 00 43 03 00 00 00 00 00 00 | ........C.......

0030 | 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

0040 | 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

0050 | 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

0060 | 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

0070 | 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

 

Inode isAllocated

Filemode: 16877

Low 16bits of Owner Uid: 0

Size inbytes: 4096

Accesstime: 1398900533

Creationtime: 1398900533

Modificationtime: 1398900533

DeletionTime: 0

Low 16bits of Group Id: 0

Linkscount: 2

Blockscount: 8

Fileflags: 0

Fileversion (for NFS): 0

File ACL:0

DirectoryACL: 0

Fragmentaddress: 0

Directblocks: 835, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

Indirectblock: 0

Doubleindirect block: 0

Tripleindirect block: 0

 

Filename              | Inode number      |Deleted status

.                              2

..                             2

lost+found                     11             Deleted

extundelete-0.2.3.tar.bz2      49153          Deleted

extundelete-0.2.4.tar.bz2      49154          Deleted

extundelete-0.2.4.tar.gz       49155          Deleted

 

[root@localhost~]# /opt/undelete/bin/extundelete --restore-all /dev/sdb1

NOTICE:Extended attributes are not restored.

Loadingfilesystem metadata ... 40 groups loaded.

Loadingjournal descriptors ... 25 descriptors loaded.

Searchingfor recoverable inodes in directory / ...

4recoverable inodes found.

Lookingthrough the directory structure for deleted files ...

0recoverable inodes still lost.

 

extundelete恢复时会在当前目录创建一个名为RECOVERED_FILES的目录用于存放恢复的数据

 

[root@localhost~]# ls -lh  RECOVERED_FILES/

总计 948K

-rw-r--r--1 root root 107K 05-01 07:30 extundelete-0.2.3.tar.bz2

-rw-r--r--1 root root 106K 05-01 07:30 extundelete-0.2.4.tar.bz2

-rw-r--r--1 root root 706K 05-01 07:30 extundelete-0.2.4.tar.gz

 

 

2.3 使用photorec

如果不小心把磁盘给分区并格式化,这个时候可以使用photo来恢复,我很佩服这个工具的强大。

测试过程:

清空磁盘、从新分区格式化

[root@localhost~]# dd if=/dev/zero of=/dev/sdb

[root@localhost~]# fdisk /dev/sdb <<EOF

> n

> p

> 1

>

>

> wq

> EOF

[root@localhost~]# mkfs.ext3 /dev/sdb1

[root@localhost~]# cp  epel-release-5-4.noarch.rpm /disk/

[root@localhost~]# cp /u01/oracle/oradata/orcl/users01.dbf /disk/

[root@localhost~]# ll -h /disk/

总计 5.2M

-rw-r--r--1 root root  12K 05-09 03:55epel-release-5-4.noarch.rpm

drwx------2 root root  16K 05-09 03:54 lost+found

-rw-r-----1 root root 5.1M 05-09 03:56 users01.dbf

 

目录disk有一个rpm包和一个oracle的数据文件

 

格式化磁盘

[root@localhost~]# mkfs.ext3 /dev/sdb1

 

#恢复过程:

photorec支持多种文件类型,如果需要恢复的文件类型不支持,那么就需要自已定义,比如上面的oracle数据文件。可以用fidentify来确认文件格式photorec是否支持。

[root@localhost~]# fidentify /u01/oracle/oradata/orcl/users01.dbf

/u01/oracle/oradata/orcl/users01.dbf:unknown

自定义文件格式

语法为:文件后缀 内容位置 内容

 

photorec自定义的文件格式位于当前执行目录的一个名为photorec.sig 的文件中,如果没有这个文件则可以新建一个。

 

先确定oracle的数据文件头部内容:

[root@localhost~]# hexdump -C /u01/oracle/oradata/orcl/users01.dbf  |head

00000000  00 a2 00 00 00 00 c0 ff  00 00 00 00 00 00 00 00  |................|

00000010  e6 f8 00 00 00 20 00 00  80 02 00 00 7d 7c 7b 7a  |..... ......}|{z|

00000020  a0 81 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

*

00002000  0b a2 00 00 01 00 00 01  00 00 00 00 00 00 01 04  |................|

00002010  35 3d 00 00 00 00 00 00  00 01 20 0a 0d b6 e5 51  |5=........ ....Q|

00002020  4f 52 43 4c 00 00 00 00  9e 01 00 00 80 02 00 00  |ORCL............|

00002030  00 20 00 00 04 00 03 00  00 00 00 00 00 00 00 00  |. ..............|

00002040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

 

自定义photorec.sig

[root@localhost ~]# vi photorec.sig 根据上面的信息输入以下内容

dbf 0 0x00a200000000c0ff0000000000000000

 

重新确认photorec是否支持

[root@localhost~]# fidentify /u01/oracle/oradata/orcl/users01.dbf

/u01/oracle/oradata/orcl/users01.dbf:dbf

新建一目录用来存放恢复出来的文件后开始恢复,实际中要注意此目录所在磁盘的剩余空间大小。

[root@localhost~]# mkdir res_pho

[root@localhost~]# photorec /dev/sdb

processd->enter

wholedisk <-> File opt 选择要恢复的文件类型

s取消全选并勾选需要恢复的文件类型

[X] customOwn custom signatures      --自定义的dbf文件

[X]rpm  RPM package --rpm

 

选好后按enter返回

[search]

选择文件系统类型[ext2/ext3]

选择恢复文件的存放目录,然后按c开始进行恢复

恢复完成后可以到恢复目录查看,一般来说photorec是获取不到需恢复文件的文件名的,恢复的文件名会以扇区号命名。

[root@localhost~]# ls res_pho/recup_dir.1/

f0950423.rpm  f0983103.dbf report.xml

[root@localhost~]# rpm -qlp res_pho/recup_dir.1/f0950423.rpm

/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL

/etc/yum.repos.d/epel-testing.repo

/etc/yum.repos.d/epel.repo

/usr/share/doc/epel-release-5

/usr/share/doc/epel-release-5/GPL

[root@localhost~]# rpm -qlp epel-release-5-4.noarch.rpm

/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL

/etc/yum.repos.d/epel-testing.repo

/etc/yum.repos.d/epel.repo

/usr/share/doc/epel-release-5

/usr/share/doc/epel-release-5/GPL

 

从上可以看到2个文件都已经从格式化后的磁盘中恢复。

 

四、使用哪个软件好点?

此外还测过scalpel,foremost,ext4magic等,软件无分优劣,适用自己的就行,就个人来说,当有文件被删时,首先是用方法1来恢复就行;如果需要用到软件,那么用extundeleteext3grep是相当好的选择,过程简单,并能使用原始文件名;如果磁盘、文件系统损坏或磁盘被分区格式化,那就使用photorecscalpelforemost

阅读(2239) | 评论(0) | 转发(0) |
0

上一篇:在linux误删文件后应该做的事

下一篇:没有了

给主人留下些什么吧!~~