MAN | HOME
返回列表 发帖

用extundelete恢复linux误删文件

用extundelete恢复linux误删文件

-0.2.4恢复

官方网站:

http://extundelete.sourceforge.net/

下载:

wget http://downloads.sourceforge.net ... elete-0.2.4.tar.bz2

extundelete依赖e2fsprogs
[root@hs12 extundelete-0.2.4]# ./configure
Configuring extundelete 0.2.4
configure: error: Can’t find ext2fs library

[root@hs12 extundelete-0.2.4]# yum install e2fsprogs-devel

[root@hs12 extundelete-0.2.4]# ./configure
Configuring extundelete 0.2.4
Writing generated files to disk

[root@hs12 extundelete-0.2.4]# make & make install

[root@hs12 extundelete-0.2.4]# cd src
[root@hs12 src]# ls
block.c cli.cc extundelete-block.o extundelete-cli.o extundelete.h extundelete-priv.h jfs_compat.h Makefile Makefile.in
block.h extundelete extundelete.cc extundelete-extundelete.o extundelete-insertionops.o insertionops.cc kernel-jbd.h Makefile.am

[root@hs12 src]# ./extundelete
No action specified; implying –superblock.
./extundelete: Missing device name.
Usage: ./extundelete [options] [--] device-file
Options:
–version, -[vV] Print version and exit successfully.
–help, Print this help and exit successfully.
–superblock Print contents of superblock in addition to the rest.
If no action is specified then this option is implied.
–journal Show content of journal.
–after dtime Only process entries deleted on or after ‘dtime’.
–before dtime Only process entries deleted before ‘dtime’.
Actions:
–inode ino Show info on inode ‘ino’.
–block blk Show info on block ‘blk’.
–restore-inode ino[,ino,...]
Restore the file(s) with known inode number ‘ino’.
The restored files are created in ./RECOVERED_FILES
with their inode number as extension (ie, file.12345).
–restore-file ‘path’ Will restore file ‘path’. ‘path’ is relative to root
of the partition and does not start with a ‘/’
The restored file is created in the current
directory as ‘RECOVERED_FILES/path’.
–restore-files ‘path’ Will restore files which are listed in the file ‘path’.
Each filename should be in the same format as an option
to –restore-file, and there should be one per line.
–restore-directory ‘path’
Will restore directory ‘path’. ‘path’ is relative to the
root directory of the file system. The restored
directory is created in the output directory as ‘path’.
–restore-all Attempts to restore everything.
-j journal Reads an external journal from the named file.
-b blocknumber Uses the backup superblock at blocknumber when opening
the file system.
-B blocksize Uses blocksize as the block size when opening the file
system. The number should be the number of bytes.
–log 0 Make the program silent.
–log filename Logs all messages to filename.
–log D1=0,D2=filename Custom control of log messages with comma-separated
Examples below: list of options. Dn must be one of info, warn, or
–log info,error error. Omission of the ‘=name’ results in messages
–log warn=0 with the specified level to be logged to the console.
–log error=filename If the parameter is ‘=0′, logging for the specified
level will be turned off. If the parameter is
‘=filename’, messages with that level will be written
to filename.
-o directory Save the recovered files to the named directory.
The restored files are created in a directory
named ‘RECOVERED_FILES/’ by default.
./extundelete: Error parsing command-line options.

[root@hs12 src]# ./extundelete /dev/sdb1 –restore-directory /data/sh
NOTICE: Extended attributes are not restored.
Loading filesystem metadata … 29800 groups loaded.
Loading journal descriptors … 28266 descriptors loaded.
Failed to restore file /data/sh
Could not find correct inode number past inode 2.
Try altering the filename to one of the entries listed below.
File name | Inode number | Deleted status
. 2
.. 2
lost+found 11
logs 195821569
dfs 14942209
mapred 165806081
bidata 221380609
userdata 3407873
trackdata 112459777
adsdkdata 135135233
test 227409921
a.tar.gz 12
t1 13 Deleted
test1 227278849
statis 109051905
sh 24641537
hadoop 59506689
./extundelete: Operation not permitted while restoring directory.
./extundelete: Operation not permitted when trying to examine filesystem
[root@hs12 src]# ./extundelete /dev/sdb1 –restore-file /data/sh/active.awk
NOTICE: Extended attributes are not restored.
Loading filesystem metadata … 29800 groups loaded.
Loading journal descriptors … 28266 descriptors loaded.
Failed to restore file /data/sh/active.awk
Could not find correct inode number past inode 2.
Try altering the filename to one of the entries listed below.
File name | Inode number | Deleted status
. 2
.. 2
lost+found 11
logs 195821569
dfs 14942209
mapred 165806081
bidata 221380609
userdata 3407873
trackdata 112459777
adsdkdata 135135233
test 227409921
a.tar.gz 12
t1 13 Deleted
test1 227278849
statis 109051905
sh 24641537
hadoop 59506689
./extundelete: Operation not permitted while restoring file.
./extundelete: Operation not permitted when trying to examine filesystem

[root@hs12 RECOVERED_FILES]# ../extundelete /dev/sdb1 –restore-all
NOTICE: Extended attributes are not restored.
Loading filesystem metadata … 29800 groups loaded.
Loading journal descriptors … 28266 descriptors loaded.
[root@hs12 RECOVERED_FILES]# cd RECOVERED_FILES/
[root@hs12 RECOVERED_FILES]# cd sh
[root@hs12 sh]# ls
09081.txt a bknewdev.awk charge.sh derby.log hive2mysql.sh luan.awk newdev.awk so.awk
0908.txt active.awk b.txt charge.txt dvid_price.awk hiveactive.sh luandoutang_09_900037.csv newdev.sh t.awk
09.txt active.sh charge cid_price.awk emptycid hivenewdev.sh luan.sh pid.awk TempStatsStore
100001 adsdkdata charge_2013-09-09.txt cps err.txt hiveput.sh multidate.sh pid.sh test.awk
1dev.awk a.txt charge_20130909_.txt cps_newdev.java getdvid.awk insdata.py newdev print user.awk
201309081.txt bi.awk charge2mysql.sh cps.sh getmysql.sh luan newdev1.awk py
201309091.txt bkactive.awk charge.awk dateutil.sh getnewdev_from_mysql.sh luan1 newdev2mysql.sh sendmail.sh
[root@hs12 sh]# ls -l
total 225360
-rw-r–r– 1 root root 29251633 Sep 12 19:46 09081.txt
-rw-r–r– 1 root root 35249787 Sep 12 19:46 0908.txt
-rw-r–r– 1 root root 64501420 Sep 12 19:46 09.txt
-rw-r–r– 1 root root 2378 Sep 12 19:46 100001
-rw-r–r– 1 root root 840 Sep 12 19:46 1dev.awk
-rw-r–r– 1 root root 33931129 Sep 12 19:46 201309081.txt
-rw-r–r– 1 root root 27169653 Sep 12 19:46 201309091.txt
-rw-r–r– 1 root root 1 Sep 12 19:46 a
-rw-r–r– 1 root root 2227 Sep 12 19:46 active.awk
-rw-r–r– 1 root root 999 Sep 12 19:46 active.sh
-rw-r–r– 1 root root 19242484 Sep 12 19:46 adsdkdata
-rw-r–r– 1 root root 5626 Sep 12 19:46 a.txt
-rw-r–r– 1 root root 331 Sep 12 19:46 bi.awk
-rw-r–r– 1 root root 1543 Sep 12 19:46 bkactive.awk
-rw-r–r– 1 root root 931 Sep 12 19:46 bknewdev.awk
-rw-r–r– 1 root root 11 Sep 12 19:46 b.txt
-rw-r–r– 1 root root 230 Sep 12 19:46 charge
-rw-r–r– 1 root root 20964603 Sep 12 19:46 charge_2013-09-09.txt
-rw-r–r– 1 root root 229 Sep 12 19:46 charge_20130909_.txt
-rw-r–r– 1 root root 1243 Sep 12 19:46 charge2mysql.sh
-rw-r–r– 1 root root 428 Sep 12 19:46 charge.awk
-rw-r–r– 1 root root 2822 Sep 12 19:46 charge.sh
-rw-r–r– 1 root root 227 Sep 12 19:46 charge.txt
-rw-r–r– 1 root root 1227 Sep 12 19:46 cid_price.awk
drwxr-xr-x 2 root root 4096 Sep 12 19:46 cps
-rw-r–r– 1 root root 12070 Sep 12 19:46 cps_newdev.java
-rw-r–r– 1 root root 2764 Sep 12 19:46 cps.sh
-rw-r–r– 1 root root 885 Sep 12 19:46 dateutil.sh
-rw-r–r– 1 root root 992 Sep 12 19:46 derby.log
-rw-r–r– 1 root root 658 Sep 12 19:46 dvid_price.awk
-rw-r–r– 1 root root 54217 Sep 12 19:46 emptycid
-rw-r–r– 1 root root 64279 Sep 12 19:46 err.txt
-rw-r–r– 1 root root 379 Sep 12 19:46 getdvid.awk
-rw-r–r– 1 root root 1217 Sep 12 19:46 getmysql.sh
-rw-r–r– 1 root root 1552 Sep 12 19:46 getnewdev_from_mysql.sh
-rw-r–r– 1 root root 532 Sep 12 19:46 hive2mysql.sh
-rw-r–r– 1 root root 858 Sep 12 19:46 hiveactive.sh
-rw-r–r– 1 root root 926 Sep 12 19:46 hivenewdev.sh
-rw-r–r– 1 root root 683 Sep 12 19:46 hiveput.sh
-rw-r–r– 1 root root 2227 Sep 12 19:46 insdata.py
-rw-r–r– 1 root root 1045 Sep 12 19:46 luan
-rw-r–r– 1 root root 813 Sep 12 19:46 luan1
-rw-r–r– 1 root root 336 Sep 12 19:46 luan.awk
-rw-r–r– 1 root root 72909 Sep 12 19:46 luandoutang_09_900037.csv
-rw-r–r– 1 root root 180 Sep 12 19:46 luan.sh
-rw-r–r– 1 root root 420 Sep 12 19:46 multidate.sh
drwxr-xr-x 2 root root 4096 Sep 12 19:46 newdev
-rw-r–r– 1 root root 777 Sep 12 19:46 newdev1.awk
-rw-r–r– 1 root root 1290 Sep 12 19:46 newdev2mysql.sh
-rw-r–r– 1 root root 738 Sep 12 19:46 newdev.awk
-rw-r–r– 1 root root 762 Sep 12 19:46 newdev.sh
-rw-r–r– 1 root root 693 Sep 12 19:46 pid.awk
-rw-r–r– 1 root root 518 Sep 12 19:46 pid.sh
-rw-r–r– 1 root root 99 Sep 12 19:46 print
-rw-r–r– 1 root root 30324 Sep 12 19:46 py
-rw-r–r– 1 root root 160 Sep 12 19:46 sendmail.sh
-rw-r–r– 1 root root 744 Sep 12 19:46 so.awk
-rw-r–r– 1 root root 93 Sep 12 19:46 t.awk
drwxr-xr-x 2 root root 4096 Sep 12 19:46 TempStatsStore
-rw-r–r– 1 root root 311 Sep 12 19:46 test.awk
-rw-r–r– 1 root root 385 Sep 12 19:46 user.awk
[root@hs12 sh]# vi active.awk
查看,脚本都在。

整个恢复成功。
所以唯一成功的是extundelete ,并且不能指定文件和目录,而是全部恢复,才能成功。


但是这个工具只能删除rm删除的东西
我的apache文件被黑客注入进来用apache权限删了,找办法恢复中

返回列表