Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
03-08-2006, 11:05 AM
|
#1
|
|
Member
Registered: Aug 2005
Posts: 51
Rep: 
|
how to restore deleted files?
hi all. i have a little problem. i have deleted some files from my /var/www/html directory yesterday and i don't have a backup. so is there is a way to restore this this files again? i know under windows there are some programs who can do that but i don't know for linux.
thanks in advance
|
|
|
|
|
03-08-2006, 11:43 AM
|
#2
|
|
Member
Registered: Sep 2003
Location: Michigan USA
Distribution: Mandrake, DamnSmallLinux, VectorLinux
Posts: 416
Rep:
|
This may seem obvious but did you check your trash?
|
|
|
|
|
03-08-2006, 11:54 AM
|
#3
|
|
Senior Member
Registered: Sep 2005
Location: Out
Posts: 3,307
Rep:
|
If and only if you have not rebooted, copy /dev/kcore somewhere and then try to find something in this file.
You may get a good percentage of your files depending on what you did meanwhile.
Also this, I think it works with the disk and not the ram:
http://freshmeat.net/projects/unrm/ |
|
|
|
|
03-08-2006, 11:58 AM
|
#4
|
|
Member
Registered: Aug 2005
Posts: 51
Original Poster
Rep:
|
i tried this link and the program is working just fine. anyway the problem is that this program is only works with ext2 but my partitions are ext3. also under /dev i have just this files:
full log null ptmx pts/ random reboot tty urandom zero
is there a possibility kcore to be on some other location?
thanks
Quote:
|
Originally Posted by nx5000
If and only if you have not rebooted, copy /dev/kcore somewhere and then try to find something in this file.
You may get a good percentage of your files depending on what you did meanwhile.
Also this, I think it works with the disk and not the ram:
http://freshmeat.net/projects/unrm/ |
Last edited by ice99; 03-08-2006 at 12:05 PM.
|
|
|
|
|
03-09-2006, 03:12 AM
|
#5
|
|
Senior Member
Registered: Sep 2005
Location: Out
Posts: 3,307
Rep:
|
What is your distribution?
|
|
|
|
|
03-09-2006, 03:50 AM
|
#6
|
|
Member
Registered: Aug 2005
Posts: 51
Original Poster
Rep:
|
It is CentOs 4
Quote:
|
Originally Posted by nx5000
What is your distribution?
|
|
|
|
|
|
03-09-2006, 03:55 AM
|
#7
|
|
Senior Member
Registered: Aug 2005
Posts: 1,755
Rep:
|
Quote:
|
Originally Posted by ice99
my partitions are ext3.
|
It's really hard or impossible to recover files directly on ext3, since it zeroes out the inodes after you delete them. You may have to do things like grep through the drive to recover your stuff. |
|
|
|
|
03-09-2006, 04:02 AM
|
#8
|
|
Senior Member
Registered: Sep 2005
Location: Out
Posts: 3,307
Rep:
|
Quote:
|
Originally Posted by ice99
It is CentOs 4
|
Mmmh I won't be of any help, the only centos I have is in a virtual machine and I don't have this machine now.
Maybe centos doesn't use a file for this, maybe ask somewhere else or if you're lucky somebody will pop in..
Also spooon is right, you can dump the disk with dd ( TO ANOTHER DISK  )
I don't know the physical structure of ext3.
In any case, do not reboot and try to not touch this disk. |
|
|
|
|
04-01-2006, 01:50 AM
|
#9
|
|
LQ Guru
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211
Rep:
|
You have to grep through the partition... look for the content of the file.
|
|
|
|
|
04-01-2006, 02:16 AM
|
#10
|
|
LQ Guru
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211
Rep:
|
|
|
|
|
|
04-12-2006, 09:21 AM
|
#11
|
|
LQ Newbie
Registered: Jan 2006
Posts: 3
Rep: 
|
use debugfs command; check the deleted files with lsdel command, u can use rdump command to restore the files! ofcourse it may not restore all the files.
ramesh
|
|
|
|
|
04-12-2006, 11:49 AM
|
#12
|
|
Moderator
Registered: May 2001
Posts: 29,415
|
Grepping can do if you're mainly concerned with text. You could try a header/footer based approach (think file: magic) using "foremost". RPMForge and Dries repositories have rpm's for it. Running it as "foremost -a -d -v -T -t all -i /dev/hdb1 -o /tmp/foremost" (where hdb1 is the remounted-read-only partition and /tmp/foremost the output dir) recovered 11 out of 24 files after deleting the dirs. Lsdel and debugfs can only be used on ext2fs.
|
|
|
|
|
04-12-2006, 08:33 PM
|
#13
|
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
|
Originally Posted by nx5000
If and only if you have not rebooted, copy /dev/kcore somewhere and then try to find something in this file.
You may get a good percentage of your files depending on what you did meanwhile.
|
hi, i'm trying this just for educational purposes (i don't really need to recover anything)... i assume you mean /proc/kcore, right?? well, i did a:
Code:
cat /proc/kcore > /tmp/kcore
and i ended-up with a file 543MB in size...
how would i go about searching this file for deleted files??
Code:
bash-3.1$ ls -l /tmp/kcore
-rw-r--r-- 1 root root 568926208 2006-04-12 20:30 /tmp/kcore
bash-3.1$ file /tmp/kcore
/tmp/kcore: ELF 32-bit LSB core file Intel 80386, version 1 (SYSV), SVR4-style, SVR4-style, from 'vmlinux', bad note name size 0xe0800000
Last edited by win32sux; 04-12-2006 at 08:36 PM.
|
|
|
|
|
04-13-2006, 03:10 AM
|
#14
|
|
Senior Member
Registered: Sep 2005
Location: Out
Posts: 3,307
Rep:
|
Its the contents of your memory (swap / ram )
Well, from here you could play with strings.
strings /tmp/kcore
do you have vi?  |
|
|
|
All times are GMT -5. The time now is 04:10 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
