博客
关于我
强烈建议你试试无所不能的chatGPT,快点击我
Linux 安全工具之extundelete误删除恢复
阅读量:6485 次
发布时间:2019-06-23

本文共 12648 字,大约阅读时间需要 42 分钟。

一:前言

在Linux中,我们通常会因为误删除文件而感到烦恼,rm -rf +文件  rf参数简直就是每个运维的噩梦,但是大家想过没,为什么删除文件那么快呢,为什么我们copy文件的时候那么慢。

其实不管大家是rm 还是rm -rf都是删除的文件名字而已,数据还是保存在磁盘扇区里面的,当然这只是我的理解,那么删除后我们要怎么恢复呢,下面实验将进行对extundelete工具的简单操作介绍,

 

二:实验环境

系统:CentOS6.4_x64-mini.iso

工具选择: extundelete-0.2.4.tar.bz2 

extundelete官网:http://extundelete.sourceforge.net/ 

备注:这里我全文全部为Linux命令,没有任何图片,加一个图片到blogs里面很累的。

再者环境我说明一下,我这里的实验目录是单独挂载到一个硬盘上的,不然搞得大家看不懂就很不好了,

说下我为什么挂载一个硬盘上呢,大家想下,企业中了为了安全的考虑,肯定会把数据盘和系统盘分开。

删除了数据盘的数据就必须马上umount下,不然数据二次写入,就是大牛来了也帮不了你了。这点和Windows一样,我想都会懂的。

 

 

三:实验前准备

创建目录,copy文件。

[root@nginx ~]#mkdir  /yang[root@nginx ~]# mkfs.ext4 /dev/sdb [root@nginx ~]# mount /dev/sdb /yang/[root@nginx ~]# df -hFilesystem      Size  Used Avail Use% Mounted on/dev/sda2       9.5G  3.6G  5.5G  39% /tmpfs           242M     0  242M   0% /dev/shm/dev/sda1       190M   27M  153M  15% /boot/dev/sdb        4.8G   10M  4.6G   1% /yang[root@nginx ~]# cp /etc/hosts /yang/[root@nginx ~]# cp /etc/passwd /yang/[root@nginx ~]# mkdir -p /yang/data1/[root@nginx ~]# mkdir -p /yang/data2/[root@nginx ~]# echo "data1.txt" > /yang/data1/data1.txt[root@nginx ~]# echo "data2.txt" > /yang/data2/data2.txt[root@nginx ~]# ls -r /yang/*/yang/passwd  /yang/hosts/yang/lost+found:/yang/data2:data2.txt/yang/data1:data1.txt###以上为我实验环境的准备,命令都很简单,最后查看文件输出结果###

四、下载安装extundelete

[root@nginx ~]#wget  http://internode.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2[root@nginx ~]# tar jxvf extundelete-0.2.4.tar.bz2[root@nginx ~]# cd extundelete-0.2.4[root@nginx extundelete-0.2.4]# lsacinclude.m4  autogen.sh   config.log  configure.ac  install-sh  Makefile.am  missing  srcaclocal.m4    config.h.in  configure   depcomp       LICENSE     Makefile.in  README[root@nginx extundelete-0.2.4]# ./configure Configuring extundelete 0.2.4configure: error: Can't find ext2fs library###好的,到这里看到报错,怎么办呢,根据报错解决了###

这里报错说找不到ext2fs,找不到就装一个呗,怎么装呢,yum? 首先要确定下这个包,yum直接安装ext2fs肯定是没有的,接下来我们既然没那么多经验,不知道包名字,我们就rpm找就可以了,简单明了。

[root@nginx extundelete-0.2.4]# mount /dev/cdrom /mnt/mount: block device /dev/sr0 is write-protected, mounting read-only[root@nginx extundelete-0.2.4]# cd /mnt/[root@nginx mnt]# lsCentOS_BuildTag  GPL       Packages                  RPM-GPG-KEY-CentOS-6           RPM-GPG-KEY-CentOS-Testing-6EFI              images    RELEASE-NOTES-en-US.html  RPM-GPG-KEY-CentOS-Debug-6     TRANS.TBLEULA             isolinux  repodata                  RPM-GPG-KEY-CentOS-Security-6[root@nginx mnt]# cd Packages/[root@nginx Packages]# ls *2fs*e2fsprogs-1.41.12-21.el6.x86_64.rpm      e2fsprogs-devel-1.41.12-21.el6.x86_64.rpm  e2fsprogs-libs-1.41.12-21.el6.x86_64.rpme2fsprogs-devel-1.41.12-21.el6.i686.rpm  e2fsprogs-libs-1.41.12-21.el6.i686.rpm[root@nginx Packages]# rpm -ivh e2fsprogs-1.41.12-21.el6.x86_64.rpmPreparing...                ########################################### [100%]    package e2fsprogs-1.41.12-21.el6.x86_64 is already installed[root@nginx Packages]# rpm -ivh e2fsprogs-devel-1.41.12-21.el6.x86_64.rpmPreparing...                ########################################### [100%]   1:e2fsprogs-devel        ########################################### [100%]

Ok,这里我安装成功了,我的是x64位系统,当然我要装x86_x64啦。接下来我们继续编译安装。

[root@nginx Packages]#  cd /root/extundelete-0.2.4[root@nginx extundelete-0.2.4]# ./configure Configuring extundelete 0.2.4Writing generated files to disk[root@nginx extundelete-0.2.4]# echo $?0[root@nginx extundelete-0.2.4]# make && make installmake -s all-recursiveMaking all in srcextundelete.cc:571: warning: unused parameter ‘flags’Making install in src  /usr/bin/install -c extundelete '/usr/local/bin'[root@nginx extundelete-0.2.4]# ls /usr/local/bin/Extundelete########安装成功  我们开始删除文件来进行恢复测试#####

进行删除,恢复测试。记得删除后umount哦,不然二次写入谁也帮不了你呢。

[root@nginx ~]# rm -rf /yang/*[root@nginx ~]# ls /yang/*ls: cannot access /yang/*: No such file or directory[root@nginx ~]# ls /yang/[root@nginx ~]#echo “这里可以看到我刚才删除了rm –rf /yang/*就没有任何东西了”[root@nginx ~]# df -hFilesystem      Size  Used Avail Use% Mounted on/dev/sda2       9.5G  3.6G  5.5G  40% /tmpfs           242M     0  242M   0% /dev/shm/dev/sda1       190M   27M  153M  15% /boot/dev/sdb        4.8G   10M  4.6G   1% /yang/dev/sr0        4.4G  4.4G     0 100% /mnt[root@nginx ~]# umount /yang/[root@nginx ~]# df -hFilesystem      Size  Used Avail Use% Mounted on/dev/sda2       9.5G  3.6G  5.5G  40% /tmpfs           242M     0  242M   0% /dev/shm/dev/sda1       190M   27M  153M  15% /boot/dev/sr0        4.4G  4.4G     0 100% /mnt

 

五、恢复测试。恢复方式有很多,接下来简单说几个。

1、  通过inode节点恢复

什么是inode?这里建议大家去百度,其实笔者也不是很懂啦,哈哈,我只是会一些简单的。

[root@nginx ~]# mkdir /recover[root@nginx ~]# cd /recover/[root@nginx recover]# ls[root@nginx recover]# extundelete /dev/sdb --inode 2NOTICE: Extended attributes are not restored.Loading filesystem metadata ... 40 groups loaded.Group: 0Contents of inode 2:0000 | ed 41 00 00 00 10 00 00 b3 3f 79 57 af 3f 79 57 | .A.......?yW.?yW0010 | af 3f 79 57 00 00 00 00 00 00 02 00 08 00 00 00 | .?yW............0020 | 00 00 00 00 09 00 00 00 61 21 00 00 00 00 00 00 | ........a!......0030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................0080 | 1c 00 00 00 a8 c0 78 45 a8 c0 78 45 6c 66 f1 64 | ......xE..xElf.d0090 | 27 3d 79 57 00 00 00 00 00 00 00 00 00 00 00 00 | '=yW............00a0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................00b0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................Inode is AllocatedFile mode: 16877Low 16 bits of Owner Uid: 0Size in bytes: 4096Access time: 1467563955Creation time: 1467563951Modification time: 1467563951Deletion Time: 0Low 16 bits of Group Id: 0Links count: 2Blocks count: 8File flags: 0File version (for NFS): 0File ACL: 0Directory ACL: 0Fragment address: 0Direct blocks: 8545, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0Indirect block: 0Double indirect block: 0Triple indirect block: 0File name                                       | Inode number | Deleted status.                                                 2..                                                2lost+found                                        11             Deletedhosts                                             12             Deletedpasswd                                            13             Deleteddata1                                             131073         Deleteddata2                                             131074         Deleted[root@nginx recover]#[root@nginx recover]# extundelete /dev/sdb --restore-inode 13NOTICE: Extended attributes are not restored.Loading filesystem metadata ... 40 groups loaded.Loading journal descriptors ... 52 descriptors loaded.[root@nginx recover]# lsRECOVERED_FILES[root@nginx recover]# ls RECOVERED_FILES/file.13[root@nginx recover]# du -sh ./RECOVERED_FILES/file.13 4.0K    ./RECOVERED_FILES/file.13[root@nginx recover]# echo "这里我根据是inode的节点恢复的,当然这里有些人会不了解为什么是file.13,上面我inode节点对应的不是passwd文件?下面我们查看一下是否一样文件,再使用diff对比一下。"

原文件:

[root@nginx recover]# more /etc/passwdroot:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologindaemon:x:2:2:daemon:/sbin:/sbin/nologinadm:x:3:4:adm:/var/adm:/sbin/nologinlp:x:4:7:lp:/var/spool/lpd:/sbin/nologinsync:x:5:0:sync:/sbin:/bin/syncshutdown:x:6:0:shutdown:/sbin:/sbin/shutdownhalt:x:7:0:halt:/sbin:/sbin/haltmail:x:8:12:mail:/var/spool/mail:/sbin/nologinuucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologinoperator:x:11:0:operator:/root:/sbin/nologingames:x:12:100:games:/usr/games:/sbin/nologingopher:x:13:30:gopher:/var/gopher:/sbin/nologinftp:x:14:50:FTP User:/var/ftp:/sbin/nologinnobody:x:99:99:Nobody:/:/sbin/nologindbus:x:81:81:System message bus:/:/sbin/nologinrpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologinvcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologinabrt:x:173:173::/etc/abrt:/sbin/nologinsaslauth:x:499:76:Saslauthd user:/var/empty/saslauth:/sbin/nologinrpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologinnfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologinpostfix:x:89:89::/var/spool/postfix:/sbin/nologinhaldaemon:x:68:68:HAL daemon:/:/sbin/nologinntp:x:38:38::/etc/ntp:/sbin/nologinradvd:x:75:75:radvd user:/:/sbin/nologinqemu:x:107:107:qemu user:/:/sbin/nologinsshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologintcpdump:x:72:72::/:/sbin/nologinoprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologinwww:x:600:600::/data1/app/services/nginx:/sbin/nologin[root@nginx recover]#

恢复出来的文件:

[root@nginx recover]# more RECOVERED_FILES/file.13 root:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologindaemon:x:2:2:daemon:/sbin:/sbin/nologinadm:x:3:4:adm:/var/adm:/sbin/nologinlp:x:4:7:lp:/var/spool/lpd:/sbin/nologinsync:x:5:0:sync:/sbin:/bin/syncshutdown:x:6:0:shutdown:/sbin:/sbin/shutdownhalt:x:7:0:halt:/sbin:/sbin/haltmail:x:8:12:mail:/var/spool/mail:/sbin/nologinuucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologinoperator:x:11:0:operator:/root:/sbin/nologingames:x:12:100:games:/usr/games:/sbin/nologingopher:x:13:30:gopher:/var/gopher:/sbin/nologinftp:x:14:50:FTP User:/var/ftp:/sbin/nologinnobody:x:99:99:Nobody:/:/sbin/nologindbus:x:81:81:System message bus:/:/sbin/nologinrpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologinvcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologinabrt:x:173:173::/etc/abrt:/sbin/nologinsaslauth:x:499:76:Saslauthd user:/var/empty/saslauth:/sbin/nologinrpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologinnfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologinpostfix:x:89:89::/var/spool/postfix:/sbin/nologinhaldaemon:x:68:68:HAL daemon:/:/sbin/nologinntp:x:38:38::/etc/ntp:/sbin/nologinradvd:x:75:75:radvd user:/:/sbin/nologinqemu:x:107:107:qemu user:/:/sbin/nologinsshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologintcpdump:x:72:72::/:/sbin/nologinoprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologinwww:x:600:600::/data1/app/services/nginx:/sbin/nologin[root@nginx recover]###############输出的结果一模一样############

再者我们使用diff对比一下文件,diff命令不懂?  没问题啊,一样啊去百度啊,因为笔者也不了解,嘿嘿。逗逼一下,不然写着很累的。

[root@nginx recover]# diff /etc/passwd ./RECOVERED_FILES/file.13 [root@nginx recover]# echo $?0[root@nginx recover]#echo “这里返回结果就是0,没有报错,就是成功了,对比一样,记住,在Linux中没有信息就是最好的信息。”

2、  根据文件名来恢复

[root@nginx recover]# extundelete /dev/sdb --restore-file hostsNOTICE: Extended attributes are not restored.Loading filesystem metadata ... 40 groups loaded.Loading journal descriptors ... 52 descriptors loaded.Successfully restored file hosts[root@nginx recover]# lsRECOVERED_FILES[root@nginx recover]# ls RECOVERED_FILES/file.13  hosts[root@nginx recover]# diff /etc/hosts ./RECOVERED_FILES/hosts [root@nginx recover]# echo $?0[root@nginx recover]#echo“对比一样还是恢复成功了。”

3、根据目录来恢复

[root@nginx recover]# extundelete /dev/sdb --restore-directory data1NOTICE: Extended attributes are not restored.Loading filesystem metadata ... 40 groups loaded.Loading journal descriptors ... 52 descriptors loaded.Searching for recoverable inodes in directory data1 ... 7 recoverable inodes found.Looking through the directory structure for deleted files ... 6 recoverable inodes still lost.[root@nginx recover]# ls ./RECOVERED_FILES/data1  file.13  hosts[root@nginx recover]# ls ./RECOVERED_FILES/data1/data1.txt[root@nginx recover]# echo “到这里目录测试也是可以恢复成功,里面文件也是我之前的文件,那么如果有人说我的文件太多了我想恢复所有的,这样操作是不是太麻烦了,没问题,下面我来教大家怎么恢复所有的,就是更改下参数。”

4、恢复全部文件。

我先给之前恢复的文件都删除了,下面看是不是可以正常恢复成功所有的文件

[root@nginx recover]# rm -rf RECOVERED_FILES/[root@nginx recover]# ls[root@nginx recover]# extundelete /dev/sdb --restore-allNOTICE: Extended attributes are not restored.Loading filesystem metadata ... 40 groups loaded.Loading journal descriptors ... 52 descriptors loaded.Searching for recoverable inodes in directory / ... 7 recoverable inodes found.Looking through the directory structure for deleted files ... 0 recoverable inodes still lost.[root@nginx recover]# lsRECOVERED_FILES[root@nginx recover]# ls -r ./RECOVERED_FILES/passwd  hosts  data2  data1[root@nginx recover]#echo “可以看到我删除后所有的都恢复过来了”

啊~~~到这里总算是告一段落了,实在不懂的直接问我就可以了,我也是今天才学的。感谢大家~

转载于:https://www.cnblogs.com/yangxiaofei/p/5638428.html

你可能感兴趣的文章
水环境指标 中文对照
查看>>
PROC系列之---/proc/stat
查看>>
YUM
查看>>
Web App和Native App 谁将是未来
查看>>
Git 常用命令整理
查看>>
hive 导入数据表乱码
查看>>
Java 多线程 之 Thread
查看>>
配置管理小报100330:为什么配置库中代码和文档分开放?
查看>>
JSP指令元素:page指令,include指令,taglib指令
查看>>
java 自动装箱和拆箱
查看>>
NTFS的五大热点问题解答
查看>>
下丁字符号用MathType怎么编辑出来
查看>>
Java Web对mysql数据库的几种操作
查看>>
Android Studio插件
查看>>
CoreText进阶(五)- 文字排版样式和效果
查看>>
java中的访问权限
查看>>
CallableAndFuture
查看>>
Nginx配置文件详细说明
查看>>
Java程序打包成jar包
查看>>
如何验证DB2数据库备份是否成功
查看>>
喝酒易醉,品茶养心,人生如梦,品茶悟道,何以解忧?唯有杜康!-- 愿君每日到此一游!
当前时间: 2025-01-18 18:03:22   当前IP: 3.133.153.15   联系邮箱:javaeecc@qq.com     Copyright © 2020 - 2022 baihongyu.com 京ICP备2021015314号-2
强烈建议你试试无所不能的CHAT-GPT,快点击我
强烈建议你试试无所不能的CHAT-GPT,快点击我