Linux 安全工具之extundelete误删除恢复
Posted 毕竟我是杨小飞呀i
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Linux 安全工具之extundelete误删除恢复相关的知识,希望对你有一定的参考价值。
一:前言
在Linux中,我们通常会因为误删除文件而感到烦恼,rm -rf +文件 rf参数简直就是每个运维的噩梦,但是大家想过没,为什么删除文件那么快呢,为什么我们copy文件的时候那么慢。
其实不管大家是rm 还是rm -rf都是删除的文件名字而已,数据还是保存在磁盘扇区里面的,当然这只是我的理解,那么删除后我们要怎么恢复呢,下面实验将进行对extundelete工具的简单操作介绍,
二:实验环境
系统:CentOS6.4_x64-mini.iso
工具选择: extundelete-0.2.4.tar.bz2
extundelete官网:http://extundelete.sourceforge.net/
备注:这里我全文全部为Linux命令,没有任何图片,加一个图片到blogs里面很累的。
再者环境我说明一下,我这里的实验目录是单独挂载到一个硬盘上的,不然搞得大家看不懂就很不好了,
说下我为什么挂载一个硬盘上呢,大家想下,企业中了为了安全的考虑,肯定会把数据盘和系统盘分开。
删除了数据盘的数据就必须马上umount下,不然数据二次写入,就是大牛来了也帮不了你了。这点和Windows一样,我想都会懂的。
三:实验前准备
创建目录,copy文件。
[[email protected] ~]#mkdir /yang [[email protected] ~]# mkfs.ext4 /dev/sdb [[email protected] ~]# mount /dev/sdb /yang/ [[email protected] ~]# df -h Filesystem Size Used Avail Use% Mounted on /dev/sda2 9.5G 3.6G 5.5G 39% / tmpfs 242M 0 242M 0% /dev/shm /dev/sda1 190M 27M 153M 15% /boot /dev/sdb 4.8G 10M 4.6G 1% /yang [[email protected] ~]# cp /etc/hosts /yang/ [[email protected] ~]# cp /etc/passwd /yang/ [[email protected] ~]# mkdir -p /yang/data1/ [[email protected] ~]# mkdir -p /yang/data2/ [[email protected] ~]# echo "data1.txt" > /yang/data1/data1.txt [[email protected] ~]# echo "data2.txt" > /yang/data2/data2.txt [[email protected] ~]# ls -r /yang/* /yang/passwd /yang/hosts /yang/lost+found: /yang/data2: data2.txt /yang/data1: data1.txt ###以上为我实验环境的准备,命令都很简单,最后查看文件输出结果###
四、下载安装extundelete
[[email protected] ~]#wget http://internode.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2 [[email protected] ~]# tar jxvf extundelete-0.2.4.tar.bz2 [[email protected] ~]# cd extundelete-0.2.4 [[email protected] extundelete-0.2.4]# ls acinclude.m4 autogen.sh config.log configure.ac install-sh Makefile.am missing src aclocal.m4 config.h.in configure depcomp LICENSE Makefile.in README [[email protected] extundelete-0.2.4]# ./configure Configuring extundelete 0.2.4 configure: error: Can‘t find ext2fs library ###好的,到这里看到报错,怎么办呢,根据报错解决了###
这里报错说找不到ext2fs,找不到就装一个呗,怎么装呢,yum? 首先要确定下这个包,yum直接安装ext2fs肯定是没有的,接下来我们既然没那么多经验,不知道包名字,我们就rpm找就可以了,简单明了。
[[email protected] extundelete-0.2.4]# mount /dev/cdrom /mnt/ mount: block device /dev/sr0 is write-protected, mounting read-only [[email protected] extundelete-0.2.4]# cd /mnt/ [[email protected] mnt]# ls CentOS_BuildTag GPL Packages RPM-GPG-KEY-CentOS-6 RPM-GPG-KEY-CentOS-Testing-6 EFI images RELEASE-NOTES-en-US.html RPM-GPG-KEY-CentOS-Debug-6 TRANS.TBL EULA isolinux repodata RPM-GPG-KEY-CentOS-Security-6 [[email protected] mnt]# cd Packages/ [[email protected] Packages]# ls *2fs* e2fsprogs-1.41.12-21.el6.x86_64.rpm e2fsprogs-devel-1.41.12-21.el6.x86_64.rpm e2fsprogs-libs-1.41.12-21.el6.x86_64.rpm e2fsprogs-devel-1.41.12-21.el6.i686.rpm e2fsprogs-libs-1.41.12-21.el6.i686.rpm [[email protected] Packages]# rpm -ivh e2fsprogs-1.41.12-21.el6.x86_64.rpm Preparing... ########################################### [100%] package e2fsprogs-1.41.12-21.el6.x86_64 is already installed [[email protected] Packages]# rpm -ivh e2fsprogs-devel-1.41.12-21.el6.x86_64.rpm Preparing... ########################################### [100%] 1:e2fsprogs-devel ########################################### [100%]
Ok,这里我安装成功了,我的是x64位系统,当然我要装x86_x64啦。接下来我们继续编译安装。
[[email protected] Packages]# cd /root/extundelete-0.2.4 [[email protected] extundelete-0.2.4]# ./configure Configuring extundelete 0.2.4 Writing generated files to disk [[email protected] extundelete-0.2.4]# echo $? 0 [[email protected] extundelete-0.2.4]# make && make install make -s all-recursive Making all in src extundelete.cc:571: warning: unused parameter ‘flags’ Making install in src /usr/bin/install -c extundelete ‘/usr/local/bin‘ [[email protected] extundelete-0.2.4]# ls /usr/local/bin/ Extundelete ########安装成功 我们开始删除文件来进行恢复测试#####
进行删除,恢复测试。记得删除后umount哦,不然二次写入谁也帮不了你呢。
[[email protected] ~]# rm -rf /yang/* [[email protected] ~]# ls /yang/* ls: cannot access /yang/*: No such file or directory [[email protected] ~]# ls /yang/ [[email protected] ~]#echo “这里可以看到我刚才删除了rm –rf /yang/*就没有任何东西了” [[email protected] ~]# df -h Filesystem Size Used Avail Use% Mounted on /dev/sda2 9.5G 3.6G 5.5G 40% / tmpfs 242M 0 242M 0% /dev/shm /dev/sda1 190M 27M 153M 15% /boot /dev/sdb 4.8G 10M 4.6G 1% /yang /dev/sr0 4.4G 4.4G 0 100% /mnt [[email protected] ~]# umount /yang/ [[email protected] ~]# df -h Filesystem Size Used Avail Use% Mounted on /dev/sda2 9.5G 3.6G 5.5G 40% / tmpfs 242M 0 242M 0% /dev/shm /dev/sda1 190M 27M 153M 15% /boot /dev/sr0 4.4G 4.4G 0 100% /mnt
五、恢复测试。恢复方式有很多,接下来简单说几个。
1、 通过inode节点恢复
什么是inode?这里建议大家去百度,其实笔者也不是很懂啦,哈哈,我只是会一些简单的。
[[email protected] ~]# mkdir /recover [[email protected] ~]# cd /recover/ [[email protected] recover]# ls [[email protected] recover]# extundelete /dev/sdb --inode 2 NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 40 groups loaded. Group: 0 Contents of inode 2: 0000 | ed 41 00 00 00 10 00 00 b3 3f 79 57 af 3f 79 57 | .A.......?yW.?yW 0010 | af 3f 79 57 00 00 00 00 00 00 02 00 08 00 00 00 | .?yW............ 0020 | 00 00 00 00 09 00 00 00 61 21 00 00 00 00 00 00 | ........a!...... 0030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0080 | 1c 00 00 00 a8 c0 78 45 a8 c0 78 45 6c 66 f1 64 | ......xE..xElf.d 0090 | 27 3d 79 57 00 00 00 00 00 00 00 00 00 00 00 00 | ‘=yW............ 00a0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00b0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ Inode is Allocated File mode: 16877 Low 16 bits of Owner Uid: 0 Size in bytes: 4096 Access time: 1467563955 Creation time: 1467563951 Modification time: 1467563951 Deletion Time: 0 Low 16 bits of Group Id: 0 Links count: 2 Blocks count: 8 File flags: 0 File version (for NFS): 0 File ACL: 0 Directory ACL: 0 Fragment address: 0 Direct blocks: 8545, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 Indirect block: 0 Double indirect block: 0 Triple indirect block: 0 File name | Inode number | Deleted status . 2 .. 2 lost+found 11 Deleted hosts 12 Deleted passwd 13 Deleted data1 131073 Deleted data2 131074 Deleted [[email protected] recover]# [[email protected] recover]# extundelete /dev/sdb --restore-inode 13 NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 40 groups loaded. Loading journal descriptors ... 52 descriptors loaded. [[email protected] recover]# ls RECOVERED_FILES [[email protected] recover]# ls RECOVERED_FILES/ file.13 [[email protected] recover]# du -sh ./RECOVERED_FILES/file.13 4.0K ./RECOVERED_FILES/file.13 [[email protected] recover]# echo "这里我根据是inode的节点恢复的,当然这里有些人会不了解为什么是file.13,上面我inode节点对应的不是passwd文件?下面我们查看一下是否一样文件,再使用diff对比一下。"
原文件:
[[email protected] recover]# more /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin abrt:x:173:173::/etc/abrt:/sbin/nologin saslauth:x:499:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin radvd:x:75:75:radvd user:/:/sbin/nologin qemu:x:107:107:qemu user:/:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin tcpdump:x:72:72::/:/sbin/nologin oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin www:x:600:600::/data1/app/services/nginx:/sbin/nologin [[email protected] recover]#
恢复出来的文件:
[[email protected] recover]# more RECOVERED_FILES/file.13 root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin abrt:x:173:173::/etc/abrt:/sbin/nologin saslauth:x:499:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin radvd:x:75:75:radvd user:/:/sbin/nologin qemu:x:107:107:qemu user:/:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin tcpdump:x:72:72::/:/sbin/nologin oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin www:x:600:600::/data1/app/services/nginx:/sbin/nologin [[email protected] recover]# ##############输出的结果一模一样############
再者我们使用diff对比一下文件,diff命令不懂? 没问题啊,一样啊去百度啊,因为笔者也不了解,嘿嘿。逗逼一下,不然写着很累的。
[[email protected] recover]# diff /etc/passwd ./RECOVERED_FILES/file.13 [[email protected] recover]# echo $? 0 [[email protected] recover]#echo “这里返回结果就是0,没有报错,就是成功了,对比一样,记住,在Linux中没有信息就是最好的信息。”
2、 根据文件名来恢复
[[email protected] recover]# extundelete /dev/sdb --restore-file hosts NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 40 groups loaded. Loading journal descriptors ... 52 descriptors loaded. Successfully restored file hosts [[email protected] recover]# ls RECOVERED_FILES [[email protected] recover]# ls RECOVERED_FILES/ file.13 hosts [[email protected] recover]# diff /etc/hosts ./RECOVERED_FILES/hosts [[email protected] recover]# echo $? 0 [[email protected] recover]#echo“对比一样还是恢复成功了。”
3、根据目录来恢复
[[email protected] recover]# extundelete /dev/sdb --restore-directory data1 NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 40 groups loaded. Loading journal descriptors ... 52 descriptors loaded. Searching for recoverable inodes in directory data1 ... 7 recoverable inodes found. Looking through the directory structure for deleted files ... 6 recoverable inodes still lost. [[email protected] recover]# ls ./RECOVERED_FILES/ data1 file.13 hosts [[email protected] recover]# ls ./RECOVERED_FILES/data1/ data1.txt [[email protected] recover]# echo “到这里目录测试也是可以恢复成功,里面文件也是我之前的文件,那么如果有人说我的文件太多了我想恢复所有的,这样操作是不是太麻烦了,没问题,下面我来教大家怎么恢复所有的,就是更改下参数。”
4、恢复全部文件。
我先给之前恢复的文件都删除了,下面看是不是可以正常恢复成功所有的文件
[[email protected] recover]# rm -rf RECOVERED_FILES/ [[email protected] recover]# ls [[email protected] recover]# extundelete /dev/sdb --restore-all NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 40 groups loaded. Loading journal descriptors ... 52 descriptors loaded. Searching for recoverable inodes in directory / ... 7 recoverable inodes found. Looking through the directory structure for deleted files ... 0 recoverable inodes still lost. [[email protected] recover]# ls RECOVERED_FILES [[email protected] recover]# ls -r ./RECOVERED_FILES/ passwd hosts data2 data1 [[email protected] recover]#echo “可以看到我删除后所有的都恢复过来了”
啊~~~到这里总算是告一段落了,实在不懂的直接问我就可以了,我也是今天才学的。感谢大家~
以上是关于Linux 安全工具之extundelete误删除恢复的主要内容,如果未能解决你的问题,请参考以下文章