Home PC Games Linux Windows Database Network Programming Server Mobile  
  Home \ Linux \ Use lsof restore accidentally deleted log files or database     - The difference between Objective-C language nil, Nil, NULL, NSNull (Programming)

- Linux common network tools: Scan routing of mtr (Linux)

- How to modify the SQL Server auto-increment value and the corresponding solution (Database)

- Using the Android interface in Parcelable (Programming)

- printf PHP string operations () built-in function usage (Programming)

- RedHat / CentOS ext4 partition can not be formatted large supplementary ext4 formatting (Linux)

- Depth understanding of Python character set encoding (Programming)

- Linux system started to learn: Teaches you install Ubuntu 15.04 on VirtualBox (Linux)

- Simple to use multi-threaded programming under Linux mutex and condition variable (Programming)

- Oracle 11g users to create, authorize and import dmp file (Database)

- Forwarding module with Apache reverse proxy server (Server)

- Ubuntu 14.10 Install Ubuntu Touch Music App 2.0 (Linux)

- Android child thread really do not update UI (Programming)

- Android development environment to build under Fedora 13 (Linux)

- Close common port to protect server security (Linux)

- Ten SCP transfer command example (Linux)

- xargs Detailed description (Linux)

- Linux supports serial output method (Linux)

- How to use the Linux kill command to kill the process / program is not responding (Linux)

- Iptables on the request URL for IP access control (Linux)

  Use lsof restore accidentally deleted log files or database
  Add Date : 2018-11-21      
  Find who is using the file system

When you uninstall the file system, the file system if there are any open files, the operation will usually fail. Lsof can find it through those processes currently in use to uninstall the file system, as follows: # lsof / GTES11 /


bash 4208 root cwd DIR 3,1 4096 2 / GTES11 /

vim 4230 root cwd DIR 3,1 4096 2 / GTES11 /

In this example, the user is its root / GTES11 directories do something. Is a bash instance is running, and it is the current directory is / GTES11, the other shows the vim being edited / GTES11 under file. To successfully uninstall / GTES11, you should notify the user in order to ensure normal after the suspension of these processes. This example illustrates the current working directory of the application is very important, because it still maintains the resource file, and the file system can be prevented from being unloaded. This is why most of the daemon (background process) will they change the directory to the root directory, or specific directory services (such as sendmail example in / var / spool / mqueue) reasons to avoid the daemon to stop unloading irrelevant file system.

Recover deleted files

When the Linux computer is compromised, the common situation is that the log files are deleted, in order to cover up traces of the attacker. Management errors may also lead to accidentally delete important files, such as cleaning up old log, accidentally deleted the active transaction log database. Sometimes these files can be recovered by lsof.

When a process opens a file, as long as the process remains open the file, even if it is deleted, it is still present in the disk. This means that the process does not know the file has been deleted, it is still possible to open the file to its file descriptor to read and write. In addition to this process, the file is not visible, because it has been deleted the corresponding directory inode.

In the / proc directory, which contains the kernel and process trees reflect various documents. / Proc directory is mounted in the memory mapped an area, so these files and directories do not exist on disk, so when we read and write these files is in fact fetched from memory Related Information. Most of lsof-related information is stored in the process with PID named directory, which is / proc / 1234 contains the information for the 1234 is the PID of the process. Each process directory exists in various documents, so that they can easily understand the application process memory space, file descriptors list, point to a file on disk symbolic links and other system information. lsof program uses this information and other information about the internal state of the core to produce its output. So lsof to display file descriptors and associated process file name and other information. That is, we can find information about the file accessed through file descriptors process.

When the system is accidentally deleted a file, as long as there is at this time the system process is accessing the file, then we can lsof restore the contents of the file from the / proc directory. If by mistake the / var / log / messages file is deleted, then the case method to / var / log / messages file recovery is as follows:

First, use lsof to see whether the current process opens / var / logmessages file as follows: # lsof | grep / var / log / messages

syslogd 1283 root 2w REG 3,3 5381017 1773647 / var / log / messages (deleted)

You can see from the above information PID 1283 (syslogd) to open the file descriptor 2. Also you can see / var / log / messages has been marked deleted. So we can / proc / 1283 / fd / 2 (each digital file named fd that the process under the corresponding file descriptor) to view the appropriate information, as follows:

# Head -n 10 / proc / 1283 / fd / 2
Aug 4 13:50:15 holmes86 syslogd 1.4.1: restart.
Aug 4 13:50:15 holmes86 kernel: klogd 1.4.1, log source = / proc / kmsg started.
Aug 4 13:50:15 holmes86 kernel: Linux version (rooteverestbuilder.linux-ren.org) (gcc version 4.2.0) # 1 SMP Wed Jul 18 11:18:32 EDT 2007
Aug 4 13:50:15 holmes86 kernel: BIOS-provided physical RAM map:
Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 0000000000000000 - 000000000009f000 (usable)
Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 000000000009f000 - 00000000000a0000 (reserved)
Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 0000000000100000 - 000000001f7d3800 (usable)
Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 000000001f7d3800 - 0000000020000000 (reserved)
Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 00000000e0000000 - 00000000f0007000 (reserved)
Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 00000000f0008000 - 00000000f000c000 (reserved)

As can be seen from the above information, view / proc / 1283 / fd / 2 you can get the data to be restored. If you can view the data through a file descriptor, then you can use I / O redirection to copy it to a file, such as: cat / proc / 1283 / fd / 2> / var / log / messages

For many applications, especially database and log files, recover deleted files this method is useful.
- The security configuration of Linux (Linux)
- CentOS7 installation GAMIT and GMT (Linux)
- xCAT deployment (Linux)
- Java Virtual Machine class loading mechanism and bytecode execution engine (Programming)
- Using iptables achieve NAT (Linux)
- Ubuntu to install systems Indicator Sticky Notes 0.4.4 (Linux)
- CentOS 6.5 installation Python3.0 (Linux)
- Ubuntu install driver manager Mint Driver Manager and Device Driver Manager (Linux)
- Programmers Do not neglect debugging techniques (Programming)
- Linux beginners to develop the seven habits (Linux)
- CentOS system dual network card IP information configuration (Linux)
- Ubuntu installed racing game Speed Dreams 2.1 (Linux)
- Linux tool curl and wget advanced use (Linux)
- MySQL uses mysqld_multi to deploy stand-alone multi-instance detail procedures (Database)
- Oracle ORA-01089 failure analysis (Database)
- Using monitoring tool dsniff (Linux)
- How to add two-factor authentication for Linux systems SSH (Linux)
- Single Instance ASM under CRS-4124, CRS-4000 error handling (Database)
- How to fix Ubuntu / Mint can not add PPA source of error (Linux)
- CentOS 6.4 Python 2.6 upgrade to 2.7 (Linux)
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.