Linux 安全工具之extundelete誤刪除恢復
一:前言html
在Linux中,咱們一般會由於誤刪除文件而感到煩惱,rm -rf +文件 rf參數簡直就是每一個運維的噩夢,可是你們想過沒,爲何刪除文件那麼快呢,爲何咱們copy文件的時候那麼慢。node
其實無論你們是rm 仍是rm -rf都是刪除的文件名字而已,數據仍是保存在磁盤扇區裏面的,固然這只是個人理解,那麼刪除後咱們要怎麼恢復呢,下面實驗將進行對extundelete工具的簡單操做介紹,linux
二:實驗環境nginx
系統:CentOS6.4_x64-mini.iso安全
工具選擇: extundelete-0.2.4.tar.bz2 bash
extundelete官網:http://extundelete.sourceforge.net/ app
備註:這裏我全文所有爲Linux命令,沒有任何圖片,加一個圖片到blogs裏面很累的。運維
再者環境我說明一下,我這裏的實驗目錄是單獨掛載到一個硬盤上的,否則搞得你們看不懂就很很差了,ssh
說下我爲何掛載一個硬盤上呢,你們想下,企業中了爲了安全的考慮,確定會把數據盤和系統盤分開。tcp
刪除了數據盤的數據就必須立刻umount下,否則數據二次寫入,就是大牛來了也幫不了你了。這點和Windows同樣,我想都會懂的。
三:實驗前準備
建立目錄,copy文件。
[root@nginx ~]#mkdir /yang [root@nginx ~]# mkfs.ext4 /dev/sdb [root@nginx ~]# mount /dev/sdb /yang/ [root@nginx ~]# df -h Filesystem Size Used Avail Use% Mounted on /dev/sda2 9.5G 3.6G 5.5G 39% / tmpfs 242M 0 242M 0% /dev/shm /dev/sda1 190M 27M 153M 15% /boot /dev/sdb 4.8G 10M 4.6G 1% /yang [root@nginx ~]# cp /etc/hosts /yang/ [root@nginx ~]# cp /etc/passwd /yang/ [root@nginx ~]# mkdir -p /yang/data1/ [root@nginx ~]# mkdir -p /yang/data2/ [root@nginx ~]# echo "data1.txt" > /yang/data1/data1.txt [root@nginx ~]# echo "data2.txt" > /yang/data2/data2.txt [root@nginx ~]# ls -r /yang/* /yang/passwd /yang/hosts /yang/lost+found: /yang/data2: data2.txt /yang/data1: data1.txt ###以上爲我實驗環境的準備,命令都很簡單,最後查看文件輸出結果###
4、下載安裝extundelete
[root@nginx ~]#wget http://internode.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2 [root@nginx ~]# tar jxvf extundelete-0.2.4.tar.bz2 [root@nginx ~]# cd extundelete-0.2.4 [root@nginx extundelete-0.2.4]# ls acinclude.m4 autogen.sh config.log configure.ac install-sh Makefile.am missing src aclocal.m4 config.h.in configure depcomp LICENSE Makefile.in README [root@nginx extundelete-0.2.4]# ./configure Configuring extundelete 0.2.4 configure: error: Can't find ext2fs library ###好的,到這裏看到報錯,怎麼辦呢,根據報錯解決了###
這裏報錯說找不到ext2fs,找不到就裝一個唄,怎麼裝呢,yum? 首先要肯定下這個包,yum直接安裝ext2fs確定是沒有的,接下來咱們既然沒那麼多經驗,不知道包名字,咱們就rpm找就能夠了,簡單明瞭。
[root@nginx extundelete-0.2.4]# mount /dev/cdrom /mnt/ mount: block device /dev/sr0 is write-protected, mounting read-only [root@nginx extundelete-0.2.4]# cd /mnt/ [root@nginx mnt]# ls CentOS_BuildTag GPL Packages RPM-GPG-KEY-CentOS-6 RPM-GPG-KEY-CentOS-Testing-6 EFI images RELEASE-NOTES-en-US.html RPM-GPG-KEY-CentOS-Debug-6 TRANS.TBL EULA isolinux repodata RPM-GPG-KEY-CentOS-Security-6 [root@nginx mnt]# cd Packages/ [root@nginx Packages]# ls *2fs* e2fsprogs-1.41.12-21.el6.x86_64.rpm e2fsprogs-devel-1.41.12-21.el6.x86_64.rpm e2fsprogs-libs-1.41.12-21.el6.x86_64.rpm e2fsprogs-devel-1.41.12-21.el6.i686.rpm e2fsprogs-libs-1.41.12-21.el6.i686.rpm [root@nginx Packages]# rpm -ivh e2fsprogs-1.41.12-21.el6.x86_64.rpm Preparing... ########################################### [100%] package e2fsprogs-1.41.12-21.el6.x86_64 is already installed [root@nginx Packages]# rpm -ivh e2fsprogs-devel-1.41.12-21.el6.x86_64.rpm Preparing... ########################################### [100%] 1:e2fsprogs-devel ########################################### [100%]
Ok,這裏我安裝成功了,個人是x64位系統,固然我要裝x86_x64啦。接下來咱們繼續編譯安裝。
[root@nginx Packages]# cd /root/extundelete-0.2.4 [root@nginx extundelete-0.2.4]# ./configure Configuring extundelete 0.2.4 Writing generated files to disk [root@nginx extundelete-0.2.4]# echo $? 0 [root@nginx extundelete-0.2.4]# make && make install make -s all-recursive Making all in src extundelete.cc:571: warning: unused parameter ‘flags’ Making install in src /usr/bin/install -c extundelete '/usr/local/bin' [root@nginx extundelete-0.2.4]# ls /usr/local/bin/ Extundelete ########安裝成功 咱們開始刪除文件來進行恢復測試#####
進行刪除,恢復測試。記得刪除後umount哦,否則二次寫入誰也幫不了你呢。
[root@nginx ~]# rm -rf /yang/* [root@nginx ~]# ls /yang/* ls: cannot access /yang/*: No such file or directory [root@nginx ~]# ls /yang/ [root@nginx ~]#echo 「這裏能夠看到我剛纔刪除了rm –rf /yang/*就沒有任何東西了」 [root@nginx ~]# df -h Filesystem Size Used Avail Use% Mounted on /dev/sda2 9.5G 3.6G 5.5G 40% / tmpfs 242M 0 242M 0% /dev/shm /dev/sda1 190M 27M 153M 15% /boot /dev/sdb 4.8G 10M 4.6G 1% /yang /dev/sr0 4.4G 4.4G 0 100% /mnt [root@nginx ~]# umount /yang/ [root@nginx ~]# df -h Filesystem Size Used Avail Use% Mounted on /dev/sda2 9.5G 3.6G 5.5G 40% / tmpfs 242M 0 242M 0% /dev/shm /dev/sda1 190M 27M 153M 15% /boot /dev/sr0 4.4G 4.4G 0 100% /mnt
5、恢復測試。恢復方式有不少,接下來簡單說幾個。
一、 經過inode節點恢復
什麼是inode?這裏建議你們去百度,其實筆者也不是很懂啦,哈哈,我只是會一些簡單的。
[root@nginx ~]# mkdir /recover [root@nginx ~]# cd /recover/ [root@nginx recover]# ls [root@nginx recover]# extundelete /dev/sdb --inode 2 NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 40 groups loaded. Group: 0 Contents of inode 2: 0000 | ed 41 00 00 00 10 00 00 b3 3f 79 57 af 3f 79 57 | .A.......?yW.?yW 0010 | af 3f 79 57 00 00 00 00 00 00 02 00 08 00 00 00 | .?yW............ 0020 | 00 00 00 00 09 00 00 00 61 21 00 00 00 00 00 00 | ........a!...... 0030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0080 | 1c 00 00 00 a8 c0 78 45 a8 c0 78 45 6c 66 f1 64 | ......xE..xElf.d 0090 | 27 3d 79 57 00 00 00 00 00 00 00 00 00 00 00 00 | '=yW............ 00a0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00b0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ Inode is Allocated File mode: 16877 Low 16 bits of Owner Uid: 0 Size in bytes: 4096 Access time: 1467563955 Creation time: 1467563951 Modification time: 1467563951 Deletion Time: 0 Low 16 bits of Group Id: 0 Links count: 2 Blocks count: 8 File flags: 0 File version (for NFS): 0 File ACL: 0 Directory ACL: 0 Fragment address: 0 Direct blocks: 8545, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 Indirect block: 0 Double indirect block: 0 Triple indirect block: 0 File name | Inode number | Deleted status . 2 .. 2 lost+found 11 Deleted hosts 12 Deleted passwd 13 Deleted data1 131073 Deleted data2 131074 Deleted [root@nginx recover]# [root@nginx recover]# extundelete /dev/sdb --restore-inode 13 NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 40 groups loaded. Loading journal descriptors ... 52 descriptors loaded. [root@nginx recover]# ls RECOVERED_FILES [root@nginx recover]# ls RECOVERED_FILES/ file.13 [root@nginx recover]# du -sh ./RECOVERED_FILES/file.13 4.0K ./RECOVERED_FILES/file.13 [root@nginx recover]# echo "這裏我根據是inode的節點恢復的,固然這裏有些人會不瞭解爲何是file.13,上面我inode節點對應的不是passwd文件?下面咱們查看一下是否同樣文件,再使用diff對比一下。"
原文件:
[root@nginx recover]# more /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin abrt:x:173:173::/etc/abrt:/sbin/nologin saslauth:x:499:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin radvd:x:75:75:radvd user:/:/sbin/nologin qemu:x:107:107:qemu user:/:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin tcpdump:x:72:72::/:/sbin/nologin oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin www:x:600:600::/data1/app/services/nginx:/sbin/nologin [root@nginx recover]#
恢復出來的文件:
[root@nginx recover]# more RECOVERED_FILES/file.13 root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin abrt:x:173:173::/etc/abrt:/sbin/nologin saslauth:x:499:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin radvd:x:75:75:radvd user:/:/sbin/nologin qemu:x:107:107:qemu user:/:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin tcpdump:x:72:72::/:/sbin/nologin oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin www:x:600:600::/data1/app/services/nginx:/sbin/nologin [root@nginx recover]# ##############輸出的結果如出一轍############
再者咱們使用diff對比一下文件,diff命令不懂? 沒問題啊,同樣啊去百度啊,由於筆者也不瞭解,嘿嘿。逗逼一下,否則寫着很累的。
[root@nginx recover]# diff /etc/passwd ./RECOVERED_FILES/file.13 [root@nginx recover]# echo $? 0 [root@nginx recover]#echo 「這裏返回結果就是0,沒有報錯,就是成功了,對比同樣,記住,在Linux中沒有信息就是最好的信息。」
二、 根據文件名來恢復
[root@nginx recover]# extundelete /dev/sdb --restore-file hosts NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 40 groups loaded. Loading journal descriptors ... 52 descriptors loaded. Successfully restored file hosts [root@nginx recover]# ls RECOVERED_FILES [root@nginx recover]# ls RECOVERED_FILES/ file.13 hosts [root@nginx recover]# diff /etc/hosts ./RECOVERED_FILES/hosts [root@nginx recover]# echo $? 0 [root@nginx recover]#echo「對比同樣仍是恢復成功了。」
三、根據目錄來恢復
[root@nginx recover]# extundelete /dev/sdb --restore-directory data1 NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 40 groups loaded. Loading journal descriptors ... 52 descriptors loaded. Searching for recoverable inodes in directory data1 ... 7 recoverable inodes found. Looking through the directory structure for deleted files ... 6 recoverable inodes still lost. [root@nginx recover]# ls ./RECOVERED_FILES/ data1 file.13 hosts [root@nginx recover]# ls ./RECOVERED_FILES/data1/ data1.txt [root@nginx recover]# echo 「到這裏目錄測試也是能夠恢復成功,裏面文件也是我以前的文件,那麼若是有人說個人文件太多了我想恢復全部的,這樣操做是否是太麻煩了,沒問題,下面我來教你們怎麼恢復全部的,就是更改下參數。」
四、恢復所有文件。
我先給以前恢復的文件都刪除了,下面看是否是能夠正常恢復成功全部的文件
[root@nginx recover]# rm -rf RECOVERED_FILES/ [root@nginx recover]# ls [root@nginx recover]# extundelete /dev/sdb --restore-all NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 40 groups loaded. Loading journal descriptors ... 52 descriptors loaded. Searching for recoverable inodes in directory / ... 7 recoverable inodes found. Looking through the directory structure for deleted files ... 0 recoverable inodes still lost. [root@nginx recover]# ls RECOVERED_FILES [root@nginx recover]# ls -r ./RECOVERED_FILES/ passwd hosts data2 data1 [root@nginx recover]#echo 「能夠看到我刪除後全部的都恢復過來了」
啊~~~到這裏總算是告一段落了,實在不懂的直接問我就能夠了,我也是今天才學的。感謝你們~
相關文章
- 1. 恢復Linux誤刪除文件系列之extundelete工具
- 2. 使用extundelete恢復誤刪除文件
- 3. Linux下面誤刪除文件使用extundelete工具恢復介紹
- 4. extundelete工具恢復rm -rf 刪除的目錄(ext四、ext3)
- 5. Linux中利用extundelete恢復誤刪除的數據
- 6. 誤刪除 linux 系統文件,用extundelete可以恢復
- 7. 恢復Linux誤刪除文件系列之scalpel工具
- 8. 恢復Linux誤刪除文件系列之foremost工具
- 9. 誤刪文件的恢復-extundelete
- 10. Linux之恢復誤刪除文件
- 更多相關文章...
- • jQuery Mobile 工具欄 - jQuery Mobile 教程
- • ASP.NET MVC - 安全 - ASP.NET 教程
- • PHP開發工具
- • 互聯網組織的未來:剖析GitHub員工的任性之源
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章