“Bring back deleted files with lsof”

I haven’t had time to post for over a month, but I’m back. The other day I found this article (http://www.linux.com/articles/58142) talking about bringing back files using lsof. At first it did not make a lot of sense since unless you have the file open, this will not work. How likely are you to have the files you just deleted by mistake still open?

Well, not very likely. BUT…if you own a shared hosting company, (or if you are the system administrator of one), you know that often someone will have poor code along with allow_url_fopen turned on, and in no time you will have hackers injecting and running scripts on your server.

Usually you are able to find the running process and kill it. But if you look at the file descriptors you may find the file that got deleted after it was ran and still in memory.

I will have a similar example to the one in the article:

Create a file, open it, Ctrl + Z, then delete the file

[root@tiger proctest]# echo “Hello Linuxzone” >crazyfile
[root@tiger proctest]# less crazyfile
Hello Linuxzone

[1]+ Stopped less crazyfile

[root@tiger proctest]# rm crazyfile
rm: remove regular file `crazyfile’? y

Run lsof and grep for the filename or command ran. Alternatively you can find the PID from the running process on compromised box.

[root@tiger proctest]# lsof crazyfile
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
less 4771 root 4r REG 3,5 16 2099178 crazyfile (deleted)

[root@tiger proctest]# lsof|grep less

less 4771 root cwd DIR 3,5 4096 2099177 /home/jc/proctest
less 4771 root rtd DIR 3,5 4096 2 /
less 4771 root txt REG 3,5 101788 8280017 /usr/bin/less
less 4771 root mem REG 3,5 112168 376984 /lib/ld-2.3.4.so
less 4771 root mem REG 3,5 1529136 376987 /lib/tls/libc-2.3.4.so
less 4771 root mem REG 3,5 1175697 8278659 /usr/lib/libncursesw.so.5.4
less 4771 root 0u CHR 136,0 2 /dev/pts/0
less 4771 root 1u CHR 136,0 2 /dev/pts/0
less 4771 root 2u CHR 136,0 2 /dev/pts/0
less 4771 root 3r CHR 5,0 1857 /dev/tty
less 4771 root 4r REG 3,5 16 2099178 /home/jc/proctest/crazyfile (deleted)
Go to /proc/PID and check file descriptors inside the fd directory. You can also check the command ran by cat cmdline:

[root@tiger proctest]# cd /proc/4771
[root@tiger 4771]# ll
total 0
dr-xr-xr-x 2 root root 0 May 5 23:08 attr
-r——– 1 root root 0 May 5 23:08 auxv
-r–r–r– 1 root root 0 May 5 23:08 cmdline
lrwxrwxrwx 1 root root 0 May 5 23:08 cwd -> /home/jc/proctest
-r——– 1 root root 0 May 5 23:08 environ
lrwxrwxrwx 1 root root 0 May 5 23:08 exe -> /usr/bin/less
dr-x—— 2 root root 0 May 5 23:08 fd
-rw-r–r– 1 root root 0 May 5 23:08 loginuid
-r——– 1 root root 0 May 5 23:08 maps
-rw——- 1 root root 0 May 5 23:08 mem
-r–r–r– 1 root root 0 May 5 23:08 mounts
lrwxrwxrwx 1 root root 0 May 5 23:08 root -> /
-r–r–r– 1 root root 0 May 5 23:08 stat
-r–r–r– 1 root root 0 May 5 23:08 statm
-r–r–r– 1 root root 0 May 5 23:08 status
dr-xr-xr-x 3 root root 0 May 5 23:08 task
-r–r–r– 1 root root 0 May 5 23:08 wchan

[root@tiger 4771]# cat cmdline
lesscrazyfile

[root@tiger 4771]# cd fd
[root@tiger fd]# ll
total 5
lrwx—— 1 root root 64 May 5 23:08 0 -> /dev/pts/0
lrwx—— 1 root root 64 May 5 23:08 1 -> /dev/pts/0
lrwx—— 1 root root 64 May 5 23:08 2 -> /dev/pts/0
lr-x—— 1 root root 64 May 5 23:08 3 -> /dev/tty
lr-x—— 1 root root 64 May 5 23:08 4 -> /home/jc/proctest/crazyfile (deleted)
[root@tiger fd]# cat 4
Hello Linuxzone
[root@tiger fd]# cp 4 /tmp/crazyfile.restored
[root@tiger fd]# cat /tmp/crazyfile.restored
Hello Linuxzone