linux环境下恢复rm误删的文件
2024-04-22 10:55:05
文章目录
- 前言
- rm之后还有救吗
- 使用foremost找回文件
- 使用extundelete找回文件
- 预防误删引发的事故
- 总结
前言
一提到在 linux 环境下删除文件,那绝对离不开 sudo rm -rf /* 这个梗,每次看到这个命令,我都想到一幅恶搞的图片:
这个『清理垃圾』的说明真是解释的“恰到好处”,据说有小白在论坛问问题,被人开玩笑的回复了 sudo rm -rf /* 这个命令,结果问题就解决了,人也拜拜了~
从删库到跑路,一天一个入狱小技巧,所以我们一定要谨慎使用 rm -rf 命令,这相当于我们在 Windows 上使用 Shift+Delete 组合,文件不会放到回收站中,而是直接永久删除了,在 Linux 中执行 rm 命令就相当于永久删除。
虽说 sudo rm -rf /* 危险无比,但是我们很少会直接这样写,但是 rm 命令还是经常用的,这不就在前几天,辛辛苦苦写的Shell脚本就被我直接 rm -rf 删掉了,幸亏我之前将内容打印到了控制台,否则整个脚本就白写了。
rm之后还有救吗
尽管 rm 命令表示永久删除,但是不代表文件就一定找不回来,只是找回的几率有大有小。其实删除命令只是在文件节点中作删除标记,并不真正清除文件内容,如果删除后马上进行恢复,那么成功的概率还是很大的,但是如果其他用户一直在用这台机器,或者有一些写盘操作的进程一直在执行,那么这部分数据可能很快就会被覆盖。这时基本上就无法恢复该文件了。
使用foremost找回文件
foremost 是一个基于文件头和尾部信息以及文件的内建数据结构恢复文件的命令行工具,接下来是安装和恢复的步骤:
- 安装
foremost
CentOS系统直接运行 sudo yum install https://forensics.cert.org/centos/cert/7/x86_64//foremost-1.5.7-13.1.el7.x86_64.rpm -y 命令就可以完成
如果是Ubuntu系统请尝试命令:
sudo apt install foremost
[root@VM-0-3-centos ~]# sudo yum install https://forensics.cert.org/centos/cert/7/x86_64//foremost-1.5.7-13.1.el7.x86_64.rpm -y
Loaded plugins: fastestmirror, langpacks
Repository epel is listed more than once in the configuration
foremost-1.5.7-13.1.el7.x86_64.rpm | 46 kB 00:00:01
Examining /var/tmp/yum-root-XJIfxM/foremost-1.5.7-13.1.el7.x86_64.rpm: foremost-1.5.7-13.1.el7.x86_64
Marking /var/tmp/yum-root-XJIfxM/foremost-1.5.7-13.1.el7.x86_64.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package foremost.x86_64 0:1.5.7-13.1.el7 will be installed
--> Finished Dependency Resolution
epel/7/x86_64 | 4.7 kB 00:00:00
epel/7/x86_64/group_gz | 96 kB 00:00:00
epel/7/x86_64/updateinfo | 1.0 MB 00:00:00
epel/7/x86_64/primary_db | 7.0 MB 00:00:01
extras/7/x86_64 | 2.9 kB 00:00:00
extras/7/x86_64/primary_db | 243 kB 00:00:00
os/7/x86_64 | 3.6 kB 00:00:00
updates/7/x86_64 | 2.9 kB 00:00:00
updates/7/x86_64/primary_db | 12 MB 00:00:01Dependencies Resolved=====================================================================================================================Package Arch Version Repository Size
=====================================================================================================================
Installing:foremost x86_64 1.5.7-13.1.el7 /foremost-1.5.7-13.1.el7.x86_64 85 kTransaction Summary
=====================================================================================================================
Install 1 PackageTotal size: 85 k
Installed size: 85 k
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transactionInstalling : foremost-1.5.7-13.1.el7.x86_64 1/1Verifying : foremost-1.5.7-13.1.el7.x86_64 1/1Installed:foremost.x86_64 0:1.5.7-13.1.el7Complete!
[root@VM-0-3-centos ~]#
- 创建一个测试文件
[root@VM-0-3-centos ~]# echo "this is a important file">important.txt
[root@VM-0-3-centos ~]# pwd
/root
[root@VM-0-3-centos ~]# ls
connecttendis.sh important.txt restore tarlist tendis test.iso
[root@VM-0-3-centos ~]# mkdir -p /tmp/restore
- 删除文件后尝试还原
[root@VM-0-3-centos ~]# rm important.txt
[root@VM-0-3-centos ~]# foremost -i /dev/vda1 -o /tmp/restore/
Processing: /dev/vda1
|***********Segmentation fault
- 执行几分钟之后崩溃,恢复失败,打开目录查看发现:
[root@VM-0-3-centos ~]# ls /tmp/restore/
audit.txt bmp doc exe htm jpg mov mpg pdf ppt rar sdw sxc sxw wav xls zip
avi dll docx gif jar mbd mp4 ole png pptx rif sx sxi vis wmv xlsx
- 看来与需要恢复的文件类型有关,换台机器再换一个png文件试试,先找一个showball.png测试文件,然后确认分区
/dev/vda1
[root@VM-0-3-centos ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
devtmpfs 930496 0 930496 0% /dev
tmpfs 941004 24 940980 1% /dev/shm
tmpfs 941004 508 940496 1% /run
tmpfs 941004 0 941004 0% /sys/fs/cgroup
/dev/vda1 51473868 6458344 42692404 14% /
/dev/loop0 361650 361650 0 100% /mnt/iso
tmpfs 188204 0 188204 0% /run/user/0
[root@VM-0-3-centos ~]# pwd
/root
[root@VM-0-3-centos ~]# ls
restore showball.png
- 删除png文件后尝试恢复,进度条结束后即可进入指定的目录
/root/restore/查看
[root@VM-0-3-centos ~]# rm showball.png
rm: remove regular file ‘showball.png’? y
[root@VM-0-3-centos ~]# pwd
/root
[root@VM-0-3-centos ~]# foremost -t png -i /dev/vda1 -o /root/restore/
Processing: /dev/vda1
|*********************************************************************************************|
- 在指定目录下会有一个
audit.txt统计文件和一个类型文件夹png
[root@VM-0-3-centos ~]# ll restore/
total 40
-rw-r--r-- 1 root root 24548 Nov 27 22:57 audit.txt
drwxr-xr-- 2 root root 16384 Nov 27 22:56 png
[root@VM-0-3-centos ~]# cd restore/
[root@VM-0-3-centos restore]# ll png
total 43764
-rw-r--r-- 1 root root 3500 Nov 27 22:53 00367400.png
-rw-r--r-- 1 root root 3578 Nov 27 22:53 00367408.png
-rw-r--r-- 1 root root 3445 Nov 27 22:53 00367416.png
-rw-r--r-- 1 root root 368 Nov 27 22:53 00367432.png
-rw-r--r-- 1 root root 363 Nov 27 22:53 00367456.png
-rw-r--r-- 1 root root 392 Nov 27 22:53 00367464.png
-rw-r--r-- 1 root root 199 Nov 27 22:53 00367616.png
...
- png目录下的文件名都是一些编号,与原来删除的文件完全不一样了,需要根据 audit.txt 文件确认,打开文件确认一下:
[root@VM-0-3-centos restore]# head audit.txt
Foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus
Audit FileForemost started at Sat Nov 27 22:53:48 2021
Invocation: foremost -t png -i /dev/vda1 -o /root/restore/
Output directory: /root/restore
Configuration file: /etc/foremost.conf
------------------------------------------------------------------
File: /dev/vda1
Start: Sat Nov 27 22:53:48 2021
[root@VM-0-3-centos restore]# head -n 20 audit.txt
Foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus
Audit FileForemost started at Sat Nov 27 22:53:48 2021
Invocation: foremost -t png -i /dev/vda1 -o /root/restore/
Output directory: /root/restore
Configuration file: /etc/foremost.conf
------------------------------------------------------------------
File: /dev/vda1
Start: Sat Nov 27 22:53:48 2021
Length: 49 GB (53686025728 bytes)Num Name (bs=512) Size File Offset Comment0: 00367400.png 3 KB 188108800 (16 x 16)
1: 00367408.png 3 KB 188112896 (16 x 16)
2: 00367416.png 3 KB 188116992 (16 x 16)
3: 00367432.png 368 B 188125184 (16 x 16)
4: 00367456.png 363 B 188137472 (16 x 16)
5: 00367464.png 392 B 188141568 (16 x 16)
...
- audit.txt 文件中记录着恢复文件的简要信息,这需要你知道原来删除文件的相关信息,不然就只能一个个打开查看了,我是通过分辨率查找的
[root@VM-0-3-centos restore]# grep "1217" audit.txt
116: 12888200.png 40 KB 6598758400 (1217 x 690)
360: 38088960.png 40 KB 19501547520 (1217 x 690)
- 根据过滤出的信息把
12888200.png打开发现就是自己“误删”的文件这就恢复好了
使用extundelete找回文件
extundelete 支持ext3、ext4文件系统下的文件恢复,使用 cat /etc/fstab 可以在linux环境下查看文件系统类型
[root@VM-0-3-centos ~]# cat /etc/fstab
UUID=21dbe030-aa71-4b3a-8610-3b942dd447fa / ext4 noatime,acl,user_xattr 1 1
proc /proc proc defaults 0 0
sysfs /sys sysfs noauto 0 0
debugfs /sys/kernel/debug debugfs noauto 0 0
devpts /dev/pts devpts mode=0620,gid=5 0 0
[root@VM-0-3-centos ~]#
- 安装依赖文件
[root@VM-0-3-centos ~]# yum install e2fsprogs-devel
Loaded plugins: fastestmirror, langpacks
Repository epel is listed more than once in the configuration
Determining fastest mirrors
epel | 4.7 kB 00:00:00
extras | 2.9 kB 00:00:00
os | 3.6 kB 00:00:00
updates | 2.9 kB 00:00:00
(1/2): epel/7/x86_64/updateinfo | 1.0 MB 00:00:00
(2/2): epel/7/x86_64/primary_db | 7.0 MB 00:00:01
Resolving Dependencies
--> Running transaction check
---> Package e2fsprogs-devel.x86_64 0:1.42.9-19.el7 will be installed
--> Finished Dependency ResolutionDependencies Resolved===============================================================================================================Package Arch Version Repository Size
===============================================================================================================
Installing:e2fsprogs-devel x86_64 1.42.9-19.el7 os 73 kTransaction Summary
===============================================================================================================
Install 1 PackageTotal download size: 73 k
Installed size: 162 k
Is this ok [y/d/N]: y
Downloading packages:
e2fsprogs-devel-1.42.9-19.el7.x86_64.rpm | 73 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transactionInstalling : e2fsprogs-devel-1.42.9-19.el7.x86_64 1/1Verifying : e2fsprogs-devel-1.42.9-19.el7.x86_64 1/1Installed:e2fsprogs-devel.x86_64 0:1.42.9-19.el7Complete!
[root@VM-0-3-centos ~]#
- 下载extundelete源码
[root@VM-0-3-centos ~]# wget https://src.fedoraproject.org/repo/pkgs/extundelete/extundelete-0.2.4.tar.bz2/77e626ad31433680c0a222069295d2ca/extundelete-0.2.4.tar.bz2
--2021-11-28 18:36:15-- https://src.fedoraproject.org/repo/pkgs/extundelete/extundelete-0.2.4.tar.bz2/77e626ad31433680c0a222069295d2ca/extundelete-0.2.4.tar.bz2
Resolving src.fedoraproject.org (src.fedoraproject.org)... 38.145.60.20, 38.145.60.21
Connecting to src.fedoraproject.org (src.fedoraproject.org)|38.145.60.20|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 108472 (106K) [application/x-bzip2]
Saving to: ‘extundelete-0.2.4.tar.bz2’100%[============================================================================>] 108,472 33.5KB/s in 3.2s2021-11-28 18:36:20 (33.5 KB/s) - ‘extundelete-0.2.4.tar.bz2’ saved [108472/108472][root@VM-0-3-centos ~]# ls
extundelete-0.2.4.tar.bz2
- 解压extundelete源码
[root@VM-0-3-centos ~]# tar -jxvf extundelete-0.2.4.tar.bz2
extundelete-0.2.4/
extundelete-0.2.4/acinclude.m4
extundelete-0.2.4/missing
extundelete-0.2.4/autogen.sh
extundelete-0.2.4/aclocal.m4
extundelete-0.2.4/configure
extundelete-0.2.4/LICENSE
extundelete-0.2.4/README
extundelete-0.2.4/install-sh
extundelete-0.2.4/config.h.in
extundelete-0.2.4/src/
extundelete-0.2.4/src/extundelete.cc
extundelete-0.2.4/src/block.h
extundelete-0.2.4/src/kernel-jbd.h
extundelete-0.2.4/src/insertionops.cc
extundelete-0.2.4/src/block.c
extundelete-0.2.4/src/cli.cc
extundelete-0.2.4/src/extundelete-priv.h
extundelete-0.2.4/src/extundelete.h
extundelete-0.2.4/src/jfs_compat.h
extundelete-0.2.4/src/Makefile.in
extundelete-0.2.4/src/Makefile.am
extundelete-0.2.4/configure.ac
extundelete-0.2.4/depcomp
extundelete-0.2.4/Makefile.in
extundelete-0.2.4/Makefile.am
[root@VM-0-3-centos ~]# cd extundelete-0.2.4/
[root@VM-0-3-centos extundelete-0.2.4]# ls
acinclude.m4 aclocal.m4 autogen.sh config.h.in configure configure.ac depcomp
install-sh LICENSE Makefile.am Makefile.in missing README src
[root@VM-0-3-centos extundelete-0.2.4]#
- 编译xtundelete源码安装
[root@VM-0-3-centos extundelete-0.2.4]# ./configure --prefix=/usr/local/extundelete && make && make install
Configuring extundelete 0.2.4
Writing generated files to disk
make -s all-recursive
Making all in src
extundelete.cc: In function ‘ext2_ino_t find_inode(ext2_filsys, ext2_filsys, ext2_inode*, std::string, int)’:
extundelete.cc:1272:29: warning: narrowing conversion of ‘search_flags’ from ‘int’ to ‘ext2_ino_t {aka unsigned int}’ inside { } [-Wnarrowing]buf, match_name2, priv, 0};^
Making install in src/usr/bin/install -c extundelete '/usr/local/extundelete/bin'
[root@VM-0-3-centos extundelete-0.2.4]# which extundelete
/usr/bin/which: no extundelete in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
[root@VM-0-3-centos extundelete-0.2.4]# ll /usr/local/extundelete/bin/
total 1296
-rwxr-xr-x 1 root root 1323360 Nov 28 18:45 extundelete
如果在这一步报错
configure: error: C++ compiler cannot create executables,可以运行yum -y install gcc-c++命令安装编译环境
- 准备测试文件
[root@VM-0-3-centos examples]# df -T
Filesystem Type 1K-blocks Used Available Use% Mounted on
devtmpfs devtmpfs 930496 0 930496 0% /dev
tmpfs tmpfs 941004 24 940980 1% /dev/shm
tmpfs tmpfs 941004 508 940496 1% /run
tmpfs tmpfs 941004 0 941004 0% /sys/fs/cgroup
/dev/vda1 ext4 51473868 6465732 42685016 14% /
/dev/loop0 iso9660 361650 361650 0 100% /mnt/iso
tmpfs tmpfs 188204 0 188204 0% /run/user/0
[root@VM-0-3-centos examples]# cp ../extundelete-0.2.4.tar.bz2 .
[root@VM-0-3-centos examples]# ls
extundelete-0.2.4.tar.bz2
- 查询文件的inode信息
我们选择刚刚下载的extundelete源码包作为“误删”的文件,先查看一下信息,-li 可以在第一列查看文件的inode信息,examples文件夹的inode值为1311798:
[root@VM-0-3-centos ~]# ls examples/
extundelete-0.2.4.tar.bz2
[root@VM-0-3-centos ~]# ls -li
total 361676
1311798 drwxr-xr-x 2 root root 4096 Nov 28 20:28 examples
1310761 drwxr-xr-x 3 1000 1000 4096 Nov 28 18:45 extundelete-0.2.4918157 drwxr-xr-x 2 root root 4096 Feb 28 2021 tarlist396057 -rw-r--r-- 1 root root 370329600 Feb 27 2021 test.iso
- 删除测试文件,并用查询信息
[root@VM-0-3-centos ~]# cd examples/
[root@VM-0-3-centos examples]# ls
extundelete-0.2.4.tar.bz2
[root@VM-0-3-centos examples]# rm extundelete-0.2.4.tar.bz2 -f
[root@VM-0-3-centos examples]# ls
[root@VM-0-3-centos examples]# /usr/local/extundelete/bin/extundelete /dev/vda1 --inode 1311798
NOTICE: Extended attributes are not restored.
WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set.
The partition should be unmounted to undelete any files without further data loss.
If the partition is not currently mounted, this message indicates
it was improperly unmounted, and you should run fsck before continuing.
If you decide to continue, extundelete may overwrite some of the deleted
files and make recovering those files impossible. You should unmount the
file system and check it with fsck before using extundelete.
Would you like to continue? (y/n)
y
Loading filesystem metadata ... 400 groups loaded.
Group: 160
Contents of inode 1311798:
0000 | ed 41 00 00 00 10 00 00 7a 62 a3 61 1b 7a a3 61 | .A......zb.a.z.a
0010 | 1b 7a a3 61 00 00 00 00 00 00 02 00 08 00 00 00 | .z.a............
0020 | 00 00 08 00 0b 00 00 00 0a f3 01 00 04 00 00 00 | ................
0030 | 00 00 00 00 00 00 00 00 01 00 00 00 79 20 50 00 | ............y P.
0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0060 | 00 00 00 00 7c 63 ab ad 00 00 00 00 00 00 00 00 | ....|c..........
0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0080 | 1c 00 00 00 80 da 0d a3 80 da 0d a3 94 24 04 08 | .............$..
0090 | 7a 62 a3 61 94 24 04 08 00 00 00 00 00 00 00 00 | zb.a.$..........
00a0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00b0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................Inode is Allocated
File mode: 16877
Low 16 bits of Owner Uid: 0
Size in bytes: 4096
Access time: 1638097530
Creation time: 1638103579
Modification time: 1638103579
Deletion Time: 0
Low 16 bits of Group Id: 0
Links count: 2
Blocks count: 8
File flags: 524288
File version (for NFS): 2913690492
File ACL: 0
Directory ACL: 0
Fragment address: 0
Direct blocks: 127754, 4, 0, 0, 1, 5251193, 0, 0, 0, 0, 0, 0
Indirect block: 0
Double indirect block: 0
Triple indirect block: 0File name | Inode number | Deleted status
. 1311798
.. 393219
extundelete-0.2.4.tar.bz2 396764 Deleted
conftest.err 1311833 Deleted
[root@VM-0-3-centos examples]#
我们发现 extundelete-0.2.4.tar.bz2 文件的状态为 Deleted
- 使用extundelete恢复文件
[root@VM-0-3-centos ~]# /usr/local/extundelete/bin/extundelete /dev/vda1 --restore-directory /tmp
NOTICE: Extended attributes are not restored.
WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set.
The partition should be unmounted to undelete any files without further data loss.
If the partition is not currently mounted, this message indicates
it was improperly unmounted, and you should run fsck before continuing.
If you decide to continue, extundelete may overwrite some of the deleted
files and make recovering those files impossible. You should unmount the
file system and check it with fsck before using extundelete.
Would you like to continue? (y/n)
y
Loading filesystem metadata ... 400 groups loaded.
Loading journal descriptors ... 31842 descriptors loaded.
*** Error in `/usr/local/extundelete/bin/extundelete': double free or corruption (!prev): 0x00000000014d6020 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x81299)[0x7f5c08190299]
/usr/local/extundelete/bin/extundelete[0x40cdcb]
/usr/local/extundelete/bin/extundelete[0x40fee6]
/usr/local/extundelete/bin/extundelete[0x4045b4]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7f5c08131555]
/usr/local/extundelete/bin/extundelete[0x404aef]
======= Memory map: ========
00400000-0041c000 r-xp 00000000 fd:01 1311942 /usr/local/extundelete/bin/extundelete
0061c000-0061d000 r--p 0001c000 fd:01 1311942 /usr/local/extundelete/bin/extundelete
0061d000-0061e000 rw-p 0001d000 fd:01 1311942 /usr/local/extundelete/bin/extundelete
0061e000-0061f000 rw-p 00000000 00:00 0
014c6000-0176e000 rw-p 00000000 00:00 0 [heap]
7f5c00000000-7f5c00021000 rw-p 00000000 00:00 0
7f5c00021000-7f5c04000000 ---p 00000000 00:00 0
7f5c07ca1000-7f5c07ef3000 rw-p 00000000 00:00 0
7f5c07ef3000-7f5c07f0a000 r-xp 00000000 fd:01 265649 /usr/lib64/libpthread-2.17.so
7f5c07f0a000-7f5c08109000 ---p 00017000 fd:01 265649 /usr/lib64/libpthread-2.17.so
7f5c08109000-7f5c0810a000 r--p 00016000 fd:01 265649 /usr/lib64/libpthread-2.17.so
7f5c0810a000-7f5c0810b000 rw-p 00017000 fd:01 265649 /usr/lib64/libpthread-2.17.so
7f5c0810b000-7f5c0810f000 rw-p 00000000 00:00 0
7f5c0810f000-7f5c082d2000 r-xp 00000000 fd:01 265623 /usr/lib64/libc-2.17.so
7f5c082d2000-7f5c084d2000 ---p 001c3000 fd:01 265623 /usr/lib64/libc-2.17.so
7f5c084d2000-7f5c084d6000 r--p 001c3000 fd:01 265623 /usr/lib64/libc-2.17.so
7f5c084d6000-7f5c084d8000 rw-p 001c7000 fd:01 265623 /usr/lib64/libc-2.17.so
7f5c084d8000-7f5c084dd000 rw-p 00000000 00:00 0
7f5c084dd000-7f5c084f2000 r-xp 00000000 fd:01 291206 /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7f5c084f2000-7f5c086f1000 ---p 00015000 fd:01 291206 /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7f5c086f1000-7f5c086f2000 r--p 00014000 fd:01 291206 /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7f5c086f2000-7f5c086f3000 rw-p 00015000 fd:01 291206 /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7f5c086f3000-7f5c087f4000 r-xp 00000000 fd:01 287349 /usr/lib64/libm-2.17.so
7f5c087f4000-7f5c089f3000 ---p 00101000 fd:01 287349 /usr/lib64/libm-2.17.so
7f5c089f3000-7f5c089f4000 r--p 00100000 fd:01 287349 /usr/lib64/libm-2.17.so
7f5c089f4000-7f5c089f5000 rw-p 00101000 fd:01 287349 /usr/lib64/libm-2.17.so
7f5c089f5000-7f5c08ade000 r-xp 00000000 fd:01 266798 /usr/lib64/libstdc++.so.6.0.19
7f5c08ade000-7f5c08cde000 ---p 000e9000 fd:01 266798 /usr/lib64/libstdc++.so.6.0.19
7f5c08cde000-7f5c08ce6000 r--p 000e9000 fd:01 266798 /usr/lib64/libstdc++.so.6.0.19
7f5c08ce6000-7f5c08ce8000 rw-p 000f1000 fd:01 266798 /usr/lib64/libstdc++.so.6.0.19
7f5c08ce8000-7f5c08cfd000 rw-p 00000000 00:00 0
7f5c08cfd000-7f5c08d3f000 r-xp 00000000 fd:01 267873 /usr/lib64/libext2fs.so.2.4
7f5c08d3f000-7f5c08f3f000 ---p 00042000 fd:01 267873 /usr/lib64/libext2fs.so.2.4
7f5c08f3f000-7f5c08f40000 r--p 00042000 fd:01 267873 /usr/lib64/libext2fs.so.2.4
7f5c08f40000-7f5c08f42000 rw-p 00043000 fd:01 267873 /usr/lib64/libext2fs.so.2.4
7f5c08f42000-7f5c08f45000 r-xp 00000000 fd:01 265948 /usr/lib64/libcom_err.so.2.1
7f5c08f45000-7f5c09144000 ---p 00003000 fd:01 265948 /usr/lib64/libcom_err.so.2.1
7f5c09144000-7f5c09145000 r--p 00002000 fd:01 265948 /usr/lib64/libcom_err.so.2.1
7f5c09145000-7f5c09146000 rw-p 00003000 fd:01 265948 /usr/lib64/libcom_err.so.2.1
7f5c09146000-7f5c09168000 r-xp 00000000 fd:01 265614 /usr/lib64/ld-2.17.so
7f5c092b1000-7f5c0935d000 rw-p 00000000 00:00 0
7f5c09363000-7f5c09367000 rw-p 00000000 00:00 0
7f5c09367000-7f5c09368000 r--p 00021000 fd:01 265614 /usr/lib64/ld-2.17.so
7f5c09368000-7f5c09369000 rw-p 00022000 fd:01 265614 /usr/lib64/ld-2.17.so
7f5c09369000-7f5c0936a000 rw-p 00000000 00:00 0
7ffe581db000-7ffe581fc000 rw-p 00000000 00:00 0 [stack]
7ffe581fc000-7ffe581fe000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
Aborted
[root@VM-0-3-centos ~]#
恢复失败,此路不通!!!
有其他人成功了,但是我测试失败,释放内存崩溃,有大神给说一下怎么改源码吗?此处存疑,后续再测,先记录一下常用参数。
- 查询inode文件状态:
/usr/local/extundelete/bin/extundelete /dev/vda1 --inode 1311798 - 恢复指定节点数据:
/usr/local/extundelete/bin/extundelete /dev/vda1 --restore-inode 1311798 - 恢复单个文件:
/usr/local/extundelete/bin/extundelete /dev/vda1 --restore-file root/examples/extundelete-0.2.4.tar.bz2 - 恢复一个目录:
/usr/local/extundelete/bin/extundelete /dev/vda1 --restore-files root/examples - 恢复所有文件:
/usr/local/extundelete/bin/extundelete /dev/vda1 --restore-all
预防误删引发的事故
定义别名,提示删除
定义别名alias rm='rm -i', 在删除文件前会出现一个提示,使用-i选项来需要逐个确认要删除的文件,只有用户输入y才会将文件删除,但是这种做法在加上-f选项之后会失效。禁用rm,使用mv代替
在系统中不允许直接使用rm命令直接删除文件,需要mv文件到指定的回收目录
~/.delete,然后配合一个定时任务,每周清空~/.delete下文件,相当于手动创建了一个回收站。
总结
- 使用foremost恢复时的目标目录最好是另外一个磁盘中的目录,把文件恢复到被删除文件所在的磁盘中很可能会在恢复前覆盖被误删的文件
sodu的全称目前有substitute user do和super user do两种说法,使用sudo通常是行驶超级用户的权限,但有时也可以其他普通用户,所以翻译成substitute user do代替其他用户来做更准确一点- foremost 支持的文件系统比较多,其中包括 ext2、 ext3 、vfat、NTFS、ufs、jfs 等,但是只能恢复特定格式的文件,而 extundelete 只支持ext3、ext4文件系统,不过可恢复的文件类型很多。
- 除了本文中总结的这两款不怎么好用的恢复软件,还有 testdisk 和 photorec 可以用来恢复,后续可以尝试一下
- 数据无价,请谨慎删除,可参考别名方法或禁用
rm -rf来减少事故的发生
==>> 反爬链接,请勿点击,原地爆炸,概不负责!<<==
成年人,结果导向!没有功劳的苦劳是那么的虚弱无力~
linux环境下恢复rm误删的文件相关推荐
- linux函数删除某文件,Linux环境下用C++删除指定文件
Linux环境下用C++删除指定文件 "Talk is cheap, show me the code!" #include #include #include #include ...
- 【 Linux学习】Linux环境下利用OpenSSL对大文件进行AES加解密
一.背景 之前的几篇博客已经介绍了Gitlab如何备份恢复与迁移已经脚本监控过程等. git学习--> Gitlab如何进行备份恢复与迁移? http://blog.csdn.net/ouyan ...
- Linux环境下Nginx部署静态资源文件。
操作环境: 阿里云服务器: Centos7.4 已安装过nginx 准备好静态资源文件. 部署静态资源文件 我把自己的静态资源文件放在了/usr/local/nginx/html下. dv文件夹中为静 ...
- 学会在Linux环境下用c语言多文件制作lrc歌词解析器
效果: 需要掌握的知识 1. 链表的熟悉运用. 懂得在链表的插入,排序. 2. 学会Linux下基本命令指令. sudo apt-get install vim //下载vim sudo apt-ge ...
- linux中rm删除的文件是否可以恢复,Linux下用rm删除的文件的恢复方法
Linux下用rm删除的文件的恢复方法_Linux教程_Linux公社-Linux系统门户网站 https://www.linuxidc.com/Linux/2008-08/14744.htm lin ...
- linux还原环境,Linux环境利用恢复被rm意外删除数据文件
Linux环境下不小心在操作系统误rm删除数据文件后,在没有重启数据库或者操作系统的情况下可以利用操作系统句柄恢复.[@more@]1.数据库版本信息: SQL> select * from v ...
- linux 垃圾桶命令,linux自制垃圾筒 避免rm误删文件
linux自制垃圾筒 避免rm误删文件 linux默认是删除文件是直接永久删除,并没有想windows那样可以删除到垃圾桶,然后可以直接恢复. linux自身是不带垃圾桶的,但是我们可以自己设计一个机 ...
- c语言Linux用线程创建文件,Linux环境下C语言线程创建---简单代码
在Linux环境下用C语言编写线程创建. //file name: pthreadtext.c #include #include //线程头文件 //pthread不是linux下的默认的库,也就是 ...
- Linux环境下移动一个文件夹下的所有文件到另一个文件夹
Linux环境下移动一个文件夹下的所有文件到另一个文件夹 研究命令 最近需要把一个环境里的文件,迁移到另一个环境里去,但是两个环境里的数据会有一些同名的子目录,要求不能覆盖数据而是合并,迁移之前我先做 ...
最新文章
- GIt代码托管、Github Desktop和 Pycharm中代码的管理
- 你知道element中el-table的列名中不能含有 . 吗?
- 4.3 欠拟合与过拟合
- 读写分离的适用场景(转载)
- 函数指针的应用学习Demo
- winform安装包签名
- 什么软件测试内存稳定性,喜大普奔:内存稳定性工具Memtest终有Windows版
- 高德地图GPS经纬度转高德经纬度
- 2021年P气瓶充装模拟考试及P气瓶充装考试试题
- 01-探寻 JavaScript 反爬虫的根本原因
- 杭州造云记 | 甲子光年
- html八边形怎么显示,如何用几何画板自定义工具画正八边形
- 正确的临摹方法,小白零基础临摹教程
- C++ 11中的Lambda表达式
- cmd窗口的内容加上颜色
- 创世卓越高清晰PDF图书下载 40本
- M56 智慧井盖的技术应用
- 【外文翻译】图像中的傅里叶变换
- VS 断点不会命中的情况
- LabVIEW控制Arduino实现示波器(基础篇—7)