2015年(68)
分类: 系统运维
2015-08-31 19:44:00
一、利用FD恢复
FD(文件描述符)是一个索引值,指向内核为每一个进程所维护的该进程打开文件的记录表。当程序打开一个现有文件或者创建一个新文件时,内核向进程返回一个文件描述符,linux的话fd一般位于"/proc/进程ID/fd"。如果被删除的文件正被某一进程打开,那么这种情况的恢复最为简单,只要通过FD来恢复就行。
示例:运行当中的apache访问日志被删
[root@localhost]# wc -l /etc/httpd/logs/access_log
0/etc/httpd/logs/access_log
[root@localhost]#lsof /etc/httpd/logs/access_log
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
httpd 4888 root 12w REG 253,0 0 555517 /etc/httpd/../../var/log/httpd/access_log
访问1次后的记录数:
[root@localhostlogs]# wc -l /etc/httpd/logs/access_log
3/etc/httpd/logs/access_log
[root@localhost~]# echo "after rm" >> /etc/httpd/logs/access_log
删除:
[root@localhostlogs]# rm -f /etc/httpd/logs/access_log
[root@localhostlogs]# ls /etc/httpd/logs/access_log
ls:/etc/httpd/logs/access_log: 没有那个文件或目录
再1次访问apache
恢复:
root@localhost~]# ll /proc/4888/fd
总计 0
lr-x------1 root root 64 05-09 02:48 0 -> /dev/null
l-wx------1 root root 64 05-09 02:48 1 -> /dev/null
l-wx------1 root root 64 05-09 02:48 10 -> /var/log/httpd/error_log
l-wx------1 root root 64 05-09 02:48 11 -> /var/log/httpd/ssl_error_log
l-wx------1 root root 64 05-09 02:48 12 -> /var/log/httpd/access_log (deleted)
l-wx------1 root root 64 05-09 02:48 13 -> /var/log/httpd/ssl_access_log
l-wx------1 root root 64 05-09 02:48 14 -> /var/log/httpd/ssl_request_log
l-wx------1 root root 64 05-09 02:48 2 -> /var/log/httpd/error_log
lr-x------1 root root 64 05-09 02:48 3 -> /dev/urandom
lrwx------1 root root 64 05-09 02:48 4 -> socket:[16633]
lrwx------1 root root 64 05-09 02:48 5 -> socket:[16634]
lrwx------1 root root 64 05-09 02:48 6 -> socket:[16638]
lrwx------1 root root 64 05-09 02:48 7 -> socket:[16639]
lr-x------1 root root 64 05-09 02:48 8 -> pipe:[16659]
l-wx------1 root root 64 05-09 02:48 9 -> pipe:[16659]
[root@localhost~]#
[root@localhost~]# cp /proc/4888/fd/12 httpd_accesslog
[root@localhost~]# wc -l httpd_accesslog
7 httpd_accesslog
可以看到删除后的访问记录也可以恢复
二、使用恢复工具
2.1 ext3grep
安装很简单,我用rhel5.4来测,直接用yum安装。
[root@localhost~]#mkfs.ext3 /dev/sdb1
[root@localhost~]#mount /dev/sdb1 /data
[root@localhost~]# cp extundelete-0.2.3.tar.bz2 /data
[root@localhost~]# cp extundelete-0.2.4.tar.gz /data
[root@localhost~]# cp extundelete-0.2.4.tar.bz2 /data
[root@localhost~]# rm /data/*.bz2
[root@localhost~]# rm /data/*.gz
恢复:
umount分区
[root@localhost~]# umount /data
查看分区文件列表:
[root@localhost~]# ext3grep --ls --inode 2 /dev/sdb1
Runningext3grep version 0.10.2
WARNING:I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is.
Number ofgroups: 40
Loadinggroup metadata... done
Minimum /maximum journal block: 841 / 34478
Loadingjournal descriptors... sorting... done
Theoldest inode block that is still in the journal, appears to be from 1398895997= Thu May 1 06:13:17 2014
Number ofdescriptors in journal: 38; min / max sequence numbers: 2 / 10
Inode isAllocated
Loadingsdb1.ext3grep.stage2... done
The firstblock of the directory is 835.
Inode 2is directory "".
Directoryblock 835:
.-- File type in dir_entry (r=regularfile, d=directory, l=symlink)
| .-- D: Deleted ; R: Reallocated
Indx Next| Inode | Deletion time Mode File name
==========+==========+----------------data-from-inode------+-----------+=========
0 1d 2 drwxr-xr-x .
1 2d 2 drwxr-xr-x ..
2 endd 11 drwx------ lost+found
3 4r 49153 D 1398898164 Thu May 1 06:49:242014 rrw-r--r-- extundelete-0.2.3.tar.bz2
4 endr 49154 D 1398898164 Thu May 1 06:49:242014 rrw-r--r-- extundelete-0.2.4.tar.gz
5 endr 49155 D 1398898164 Thu May 1 06:49:242014 rrw-r--r-- extundelete-0.2.4.tar.bz2
标记为"D" 的为被删掉的文件。
恢复文件:
[root@localhost~]# ext3grep --restore-all /dev/sdb1
Runningext3grep version 0.10.2
WARNING:I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is.
Number ofgroups: 40
Minimum /maximum journal block: 841 / 34478
Loadingjournal descriptors... sorting... done
Theoldest inode block that is still in the journal, appears to be from 1398895997= Thu May 1 06:13:17 2014
Number ofdescriptors in journal: 38; min / max sequence numbers: 2 / 10
Loadingsdb1.ext3grep.stage2... done
Restoringextundelete-0.2.3.tar.bz2
Restoringextundelete-0.2.4.tar.bz2
Restoringextundelete-0.2.4.tar.gz
用ex3grep恢复时会在当前目录创建一个名为RESTORED_FILES的目录用于存放恢复的数据
[root@localhost~]# ll RESTORED_FILES/
总计 956
-rw-r--r--1 root root 108691 05-01 06:13 extundelete-0.2.3.tar.bz2
-rw-r--r--1 root root 108472 05-01 06:13 extundelete-0.2.4.tar.bz2
-rw-r--r--1 root root 722298 05-01 06:13 extundelete-0.2.4.tar.gz
drwx------2 root root 4096 05-01 06:10 lost+found
[root@localhost~]# cd RESTORED_FILES/
[root@localhostRESTORED_FILES]# ls
extundelete-0.2.3.tar.bz2 extundelete-0.2.4.tar.bz2 extundelete-0.2.4.tar.gz lost+found
[root@localhostRESTORED_FILES]# tar jxvf extundelete-0.2.3.tar.bz2
extundelete-0.2.3/
extundelete-0.2.3/acinclude.m4
extundelete-0.2.3/missing
extundelete-0.2.3/autogen.sh
extundelete-0.2.3/aclocal.m4
extundelete-0.2.3/configure
......
2.2 extundelete
extundelete支持ext3和ext4文件系统
安装:
[root@localhost~]# yum search e2fsprogs e2fsprogs-devel
[root@localhost~]# tar jxvf extundelete-0.2.4.tar.bz2
[root@localhost~]# cd extundelete-0.2.4
[root@localhostextundelete-0.2.4]# ./configure --prefix=/opt/undelete
Configuringextundelete 0.2.4
Writinggenerated files to disk
[root@localhostextundelete-0.2.4]# make
make -sall-recursive
Makingall in src
extundelete.cc:105:警告:未使用的参数 ‘ret_flags’
extundelete.cc:571:警告:未使用的参数 ‘flags’
block.c:In function ‘extundelete_block_iterate3’:
block.c:840:警告:标号 ‘errout’ 定义后未使用
block.c:620:警告:未使用的变量 ‘r’
上面的警告不影响使用
[root@localhostextundelete-0.2.4]# make install
恢复:
[root@localhost~]# /opt/undelete/bin/extundelete --inode 2 /dev/sdb1
NOTICE:Extended attributes are not restored.
Loadingfilesystem metadata ... 40 groups loaded.
Group: 0
Contentsof inode 2:
0000 | ed41 00 00 00 10 00 00 35 87 61 53 35 87 61 53 | .A......5.aS5.aS
0010 | 3587 61 53 00 00 00 00 00 00 02 00 08 00 00 00 | 5.aS............
0020 | 0000 00 00 00 00 00 00 43 03 00 00 00 00 00 00 | ........C.......
0030 | 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0040 | 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0050 | 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0060 | 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0070 | 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
Inode isAllocated
Filemode: 16877
Low 16bits of Owner Uid: 0
Size inbytes: 4096
Accesstime: 1398900533
Creationtime: 1398900533
Modificationtime: 1398900533
DeletionTime: 0
Low 16bits of Group Id: 0
Linkscount: 2
Blockscount: 8
Fileflags: 0
Fileversion (for NFS): 0
File ACL:0
DirectoryACL: 0
Fragmentaddress: 0
Directblocks: 835, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
Indirectblock: 0
Doubleindirect block: 0
Tripleindirect block: 0
Filename | Inode number |Deleted status
. 2
.. 2
lost+found 11 Deleted
extundelete-0.2.3.tar.bz2 49153 Deleted
extundelete-0.2.4.tar.bz2 49154 Deleted
extundelete-0.2.4.tar.gz 49155 Deleted
[root@localhost~]# /opt/undelete/bin/extundelete --restore-all /dev/sdb1
NOTICE:Extended attributes are not restored.
Loadingfilesystem metadata ... 40 groups loaded.
Loadingjournal descriptors ... 25 descriptors loaded.
Searchingfor recoverable inodes in directory / ...
4recoverable inodes found.
Lookingthrough the directory structure for deleted files ...
0recoverable inodes still lost.
用extundelete恢复时会在当前目录创建一个名为RECOVERED_FILES的目录用于存放恢复的数据
[root@localhost~]# ls -lh RECOVERED_FILES/
总计 948K
-rw-r--r--1 root root 107K 05-01 07:30 extundelete-0.2.3.tar.bz2
-rw-r--r--1 root root 106K 05-01 07:30 extundelete-0.2.4.tar.bz2
-rw-r--r--1 root root 706K 05-01 07:30 extundelete-0.2.4.tar.gz
2.3 使用photorec
如果不小心把磁盘给分区并格式化,这个时候可以使用photo来恢复,我很佩服这个工具的强大。
测试过程:
清空磁盘、从新分区格式化
[root@localhost~]# dd if=/dev/zero of=/dev/sdb
[root@localhost~]# fdisk /dev/sdb <<EOF
> n
> p
> 1
>
>
> wq
> EOF
[root@localhost~]# mkfs.ext3 /dev/sdb1
[root@localhost~]# cp epel-release-5-4.noarch.rpm /disk/
[root@localhost~]# cp /u01/oracle/oradata/orcl/users01.dbf /disk/
[root@localhost~]# ll -h /disk/
总计 5.2M
-rw-r--r--1 root root 12K 05-09 03:55epel-release-5-4.noarch.rpm
drwx------2 root root 16K 05-09 03:54 lost+found
-rw-r-----1 root root 5.1M 05-09 03:56 users01.dbf
目录disk有一个rpm包和一个oracle的数据文件
格式化磁盘
[root@localhost~]# mkfs.ext3 /dev/sdb1
#恢复过程:
photorec支持多种文件类型,如果需要恢复的文件类型不支持,那么就需要自已定义,比如上面的oracle数据文件。可以用fidentify来确认文件格式photorec是否支持。
[root@localhost~]# fidentify /u01/oracle/oradata/orcl/users01.dbf
/u01/oracle/oradata/orcl/users01.dbf:unknown
自定义文件格式
语法为:文件后缀 内容位置 内容
photorec自定义的文件格式位于当前执行目录的一个名为photorec.sig 的文件中,如果没有这个文件则可以新建一个。
先确定oracle的数据文件头部内容:
[root@localhost~]# hexdump -C /u01/oracle/oradata/orcl/users01.dbf |head
00000000 00 a2 00 00 00 00 c0 ff 00 00 00 00 00 00 00 00 |................|
00000010 e6 f8 00 00 00 20 00 00 80 02 00 00 7d 7c 7b 7a |..... ......}|{z|
00000020 a0 81 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00002000 0b a2 00 00 01 00 00 01 00 00 00 00 00 00 01 04 |................|
00002010 35 3d 00 00 00 00 00 00 00 01 20 0a 0d b6 e5 51 |5=........ ....Q|
00002020 4f 52 43 4c 00 00 00 00 9e 01 00 00 80 02 00 00 |ORCL............|
00002030 00 20 00 00 04 00 03 00 00 00 00 00 00 00 00 00 |. ..............|
00002040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
自定义photorec.sig
[root@localhost ~]# vi photorec.sig 根据上面的信息输入以下内容
dbf 0 0x00a200000000c0ff0000000000000000
重新确认photorec是否支持
[root@localhost~]# fidentify /u01/oracle/oradata/orcl/users01.dbf
/u01/oracle/oradata/orcl/users01.dbf:dbf
新建一目录用来存放恢复出来的文件后开始恢复,实际中要注意此目录所在磁盘的剩余空间大小。
[root@localhost~]# mkdir res_pho
[root@localhost~]# photorec /dev/sdb
processd->enter
wholedisk <-> File opt 选择要恢复的文件类型
按s取消全选并勾选需要恢复的文件类型
[X] customOwn custom signatures --自定义的dbf文件
[X]rpm RPM package --rpm包
选好后按enter返回
[search]
选择文件系统类型[ext2/ext3]
选择恢复文件的存放目录,然后按c开始进行恢复
恢复完成后可以到恢复目录查看,一般来说photorec是获取不到需恢复文件的文件名的,恢复的文件名会以扇区号命名。
[root@localhost~]# ls res_pho/recup_dir.1/
f0950423.rpm f0983103.dbf report.xml
[root@localhost~]# rpm -qlp res_pho/recup_dir.1/f0950423.rpm
/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
/etc/yum.repos.d/epel-testing.repo
/etc/yum.repos.d/epel.repo
/usr/share/doc/epel-release-5
/usr/share/doc/epel-release-5/GPL
[root@localhost~]# rpm -qlp epel-release-5-4.noarch.rpm
/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
/etc/yum.repos.d/epel-testing.repo
/etc/yum.repos.d/epel.repo
/usr/share/doc/epel-release-5
/usr/share/doc/epel-release-5/GPL
从上可以看到2个文件都已经从格式化后的磁盘中恢复。
四、使用哪个软件好点?
此外还测过scalpel,foremost,ext4magic等,软件无分优劣,适用自己的就行,就个人来说,当有文件被删时,首先是用方法1来恢复就行;如果需要用到软件,那么用extundelete和ext3grep是相当好的选择,过程简单,并能使用原始文件名;如果磁盘、文件系统损坏或磁盘被分区格式化,那就使用photorec、scalpel或foremost
