Linux 安全工具之extundelete误删除恢复

一：前言

在Linux中，我们通常会因为误删除文件而感到烦恼，rm -rf +文件  rf参数简直就是每个运维的噩梦，但是大家想过没，为什么删除文件那么快呢，为什么我们copy文件的时候那么慢。

其实不管大家是rm 还是rm -rf都是删除的文件名字而已，数据还是保存在磁盘扇区里面的，当然这只是我的理解，那么删除后我们要怎么恢复呢，下面实验将进行对extundelete工具的简单操作介绍，

二：实验环境

系统：CentOS6.4_x64-mini.iso

工具选择： extundelete-0.2.4.tar.bz2

extundelete官网：http://extundelete.sourceforge.net/

备注：这里我全文全部为Linux命令，没有任何图片，加一个图片到blogs里面很累的。

再者环境我说明一下，我这里的实验目录是单独挂载到一个硬盘上的，不然搞得大家看不懂就很不好了，

说下我为什么挂载一个硬盘上呢，大家想下，企业中了为了安全的考虑，肯定会把数据盘和系统盘分开。

删除了数据盘的数据就必须马上umount下，不然数据二次写入，就是大牛来了也帮不了你了。这点和Windows一样，我想都会懂的。

三：实验前准备

创建目录，copy文件。

[[email protected] ~]#mkdir  /yang
[[email protected] ~]# mkfs.ext4 /dev/sdb
[[email protected] ~]# mount /dev/sdb /yang/
[[email protected] ~]# df -h
Filesystem      Size  Used Avail Use% Mounted on
/dev/sda2       9.5G  3.6G  5.5G  39% /
tmpfs           242M     0  242M   0% /dev/shm
/dev/sda1       190M   27M  153M  15% /boot
/dev/sdb        4.8G   10M  4.6G   1% /yang
[[email protected] ~]# cp /etc/hosts /yang/
[[email protected] ~]# cp /etc/passwd /yang/
[[email protected] ~]# mkdir -p /yang/data1/
[[email protected] ~]# mkdir -p /yang/data2/
[[email protected] ~]# echo "data1.txt" > /yang/data1/data1.txt
[[email protected] ~]# echo "data2.txt" > /yang/data2/data2.txt
[[email protected] ~]# ls -r /yang/*
/yang/passwd  /yang/hosts

/yang/lost+found:

/yang/data2:
data2.txt

/yang/data1:
data1.txt

###以上为我实验环境的准备，命令都很简单，最后查看文件输出结果###

四、下载安装extundelete

[[email protected] ~]#wget  http://internode.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2
[[email protected] ~]# tar jxvf extundelete-0.2.4.tar.bz2
[[email protected] ~]# cd extundelete-0.2.4
[[email protected] extundelete-0.2.4]# ls
acinclude.m4  autogen.sh   config.log  configure.ac  install-sh  Makefile.am  missing  src
aclocal.m4    config.h.in  configure   depcomp       LICENSE     Makefile.in  README
[[email protected] extundelete-0.2.4]# ./configure
Configuring extundelete 0.2.4
configure: error: Can‘t find ext2fs library

###好的，到这里看到报错，怎么办呢，根据报错解决了###

这里报错说找不到ext2fs，找不到就装一个呗，怎么装呢，yum? 首先要确定下这个包，yum直接安装ext2fs肯定是没有的，接下来我们既然没那么多经验，不知道包名字，我们就rpm找就可以了，简单明了。

[[email protected] extundelete-0.2.4]# mount /dev/cdrom /mnt/
mount: block device /dev/sr0 is write-protected, mounting read-only
[[email protected] extundelete-0.2.4]# cd /mnt/
[[email protected] mnt]# ls
CentOS_BuildTag  GPL       Packages                  RPM-GPG-KEY-CentOS-6           RPM-GPG-KEY-CentOS-Testing-6
EFI              images    RELEASE-NOTES-en-US.html  RPM-GPG-KEY-CentOS-Debug-6     TRANS.TBL
EULA             isolinux  repodata                  RPM-GPG-KEY-CentOS-Security-6
[[email protected] mnt]# cd Packages/
[[email protected] Packages]# ls *2fs*
e2fsprogs-1.41.12-21.el6.x86_64.rpm      e2fsprogs-devel-1.41.12-21.el6.x86_64.rpm  e2fsprogs-libs-1.41.12-21.el6.x86_64.rpm
e2fsprogs-devel-1.41.12-21.el6.i686.rpm  e2fsprogs-libs-1.41.12-21.el6.i686.rpm

[[email protected] Packages]# rpm -ivh e2fsprogs-1.41.12-21.el6.x86_64.rpm
Preparing...                ########################################### [100%]
    package e2fsprogs-1.41.12-21.el6.x86_64 is already installed
[[email protected] Packages]# rpm -ivh e2fsprogs-devel-1.41.12-21.el6.x86_64.rpm
Preparing...                ########################################### [100%]
   1:e2fsprogs-devel        ########################################### [100%]

Ok，这里我安装成功了，我的是x64位系统，当然我要装x86_x64啦。接下来我们继续编译安装。

[[email protected] Packages]#  cd /root/extundelete-0.2.4
[[email protected] extundelete-0.2.4]# ./configure
Configuring extundelete 0.2.4
Writing generated files to disk
[[email protected] extundelete-0.2.4]# echo $?
0
[[email protected] extundelete-0.2.4]# make && make install
make -s all-recursive
Making all in src
extundelete.cc:571: warning: unused parameter ‘flags’
Making install in src
  /usr/bin/install -c extundelete ‘/usr/local/bin‘
[[email protected] extundelete-0.2.4]# ls /usr/local/bin/
Extundelete

########安装成功  我们开始删除文件来进行恢复测试#####

进行删除，恢复测试。记得删除后umount哦，不然二次写入谁也帮不了你呢。

[[email protected] ~]# rm -rf /yang/*
[[email protected] ~]# ls /yang/*
ls: cannot access /yang/*: No such file or directory
[[email protected] ~]# ls /yang/
[[email protected] ~]#echo “这里可以看到我刚才删除了rm –rf /yang/*就没有任何东西了”
[[email protected] ~]# df -h
Filesystem      Size  Used Avail Use% Mounted on
/dev/sda2       9.5G  3.6G  5.5G  40% /
tmpfs           242M     0  242M   0% /dev/shm
/dev/sda1       190M   27M  153M  15% /boot
/dev/sdb        4.8G   10M  4.6G   1% /yang
/dev/sr0        4.4G  4.4G     0 100% /mnt
[[email protected] ~]# umount /yang/
[[email protected] ~]# df -h
Filesystem      Size  Used Avail Use% Mounted on
/dev/sda2       9.5G  3.6G  5.5G  40% /
tmpfs           242M     0  242M   0% /dev/shm
/dev/sda1       190M   27M  153M  15% /boot
/dev/sr0        4.4G  4.4G     0 100% /mnt

五、恢复测试。恢复方式有很多，接下来简单说几个。

1、  通过inode节点恢复

什么是inode?这里建议大家去百度，其实笔者也不是很懂啦，哈哈，我只是会一些简单的。

[[email protected] ~]# mkdir /recover
[[email protected] ~]# cd /recover/
[[email protected] recover]# ls
[[email protected] recover]# extundelete /dev/sdb --inode 2
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 40 groups loaded.
Group: 0
Contents of inode 2:
0000 | ed 41 00 00 00 10 00 00 b3 3f 79 57 af 3f 79 57 | .A.......?yW.?yW
0010 | af 3f 79 57 00 00 00 00 00 00 02 00 08 00 00 00 | .?yW............
0020 | 00 00 00 00 09 00 00 00 61 21 00 00 00 00 00 00 | ........a!......
0030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0080 | 1c 00 00 00 a8 c0 78 45 a8 c0 78 45 6c 66 f1 64 | ......xE..xElf.d
0090 | 27 3d 79 57 00 00 00 00 00 00 00 00 00 00 00 00 | ‘=yW............
00a0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00b0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

Inode is Allocated
File mode: 16877
Low 16 bits of Owner Uid: 0
Size in bytes: 4096
Access time: 1467563955
Creation time: 1467563951
Modification time: 1467563951
Deletion Time: 0
Low 16 bits of Group Id: 0
Links count: 2
Blocks count: 8
File flags: 0
File version (for NFS): 0
File ACL: 0
Directory ACL: 0
Fragment address: 0
Direct blocks: 8545, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
Indirect block: 0
Double indirect block: 0
Triple indirect block: 0

File name                                       | Inode number | Deleted status
.                                                 2
..                                                2
lost+found                                        11             Deleted
hosts                                             12             Deleted
passwd                                            13             Deleted
data1                                             131073         Deleted
data2                                             131074         Deleted
[[email protected] recover]#

[[email protected] recover]# extundelete /dev/sdb --restore-inode 13
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 40 groups loaded.
Loading journal descriptors ... 52 descriptors loaded.
[[email protected] recover]# ls
RECOVERED_FILES
[[email protected] recover]# ls RECOVERED_FILES/
file.13
[[email protected] recover]# du -sh ./RECOVERED_FILES/file.13
4.0K    ./RECOVERED_FILES/file.13
[[email protected] recover]# echo "这里我根据是inode的节点恢复的，当然这里有些人会不了解为什么是file.13，上面我inode节点对应的不是passwd文件？下面我们查看一下是否一样文件，再使用diff对比一下。"

原文件:

[[email protected] recover]# more /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
saslauth:x:499:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
radvd:x:75:75:radvd user:/:/sbin/nologin
qemu:x:107:107:qemu user:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
www:x:600:600::/data1/app/services/nginx:/sbin/nologin
[[email protected] recover]#

恢复出来的文件：

[[email protected] recover]# more RECOVERED_FILES/file.13
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
saslauth:x:499:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
radvd:x:75:75:radvd user:/:/sbin/nologin
qemu:x:107:107:qemu user:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
www:x:600:600::/data1/app/services/nginx:/sbin/nologin
[[email protected] recover]#

##############输出的结果一模一样############

再者我们使用diff对比一下文件，diff命令不懂？  没问题啊，一样啊去百度啊，因为笔者也不了解，嘿嘿。逗逼一下，不然写着很累的。

[[email protected] recover]# diff /etc/passwd ./RECOVERED_FILES/file.13
[[email protected] recover]# echo $?
0
[[email protected] recover]#echo “这里返回结果就是0,没有报错，就是成功了，对比一样，记住，在Linux中没有信息就是最好的信息。”

2、  根据文件名来恢复

[[email protected] recover]# extundelete /dev/sdb --restore-file hosts
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 40 groups loaded.
Loading journal descriptors ... 52 descriptors loaded.
Successfully restored file hosts
[[email protected] recover]# ls
RECOVERED_FILES
[[email protected] recover]# ls RECOVERED_FILES/
file.13  hosts
[[email protected] recover]# diff /etc/hosts ./RECOVERED_FILES/hosts
[[email protected] recover]# echo $?
0
[[email protected] recover]#echo“对比一样还是恢复成功了。”

3、根据目录来恢复

[[email protected] recover]# extundelete /dev/sdb --restore-directory data1
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 40 groups loaded.
Loading journal descriptors ... 52 descriptors loaded.
Searching for recoverable inodes in directory data1 ...
7 recoverable inodes found.
Looking through the directory structure for deleted files ...
6 recoverable inodes still lost.
[[email protected] recover]# ls ./RECOVERED_FILES/
data1  file.13  hosts
[[email protected] recover]# ls ./RECOVERED_FILES/data1/
data1.txt
[[email protected] recover]# echo “到这里目录测试也是可以恢复成功，里面文件也是我之前的文件，那么如果有人说我的文件太多了我想恢复所有的，这样操作是不是太麻烦了，没问题，下面我来教大家怎么恢复所有的，就是更改下参数。”

4、恢复全部文件。

我先给之前恢复的文件都删除了，下面看是不是可以正常恢复成功所有的文件

[[email protected] recover]# rm -rf RECOVERED_FILES/
[[email protected] recover]# ls
[[email protected] recover]# extundelete /dev/sdb --restore-all
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 40 groups loaded.
Loading journal descriptors ... 52 descriptors loaded.
Searching for recoverable inodes in directory / ...
7 recoverable inodes found.
Looking through the directory structure for deleted files ...
0 recoverable inodes still lost.
[[email protected] recover]# ls
RECOVERED_FILES
[[email protected] recover]# ls -r ./RECOVERED_FILES/
passwd  hosts  data2  data1
[[email protected] recover]#echo “可以看到我删除后所有的都恢复过来了”

啊~~~到这里总算是告一段落了，实在不懂的直接问我就可以了，我也是今天才学的。感谢大家~