rm

linux rm -rf * 文件恢复记

原文: http://abloz.com/2013/09/12/linux-rm-rf-file-recovery-record.html

周海汉/文 2013.9.12

手太快,肠子都毁清了。本来是删除一个文件 rm path/myfile.txt

结果不知为何加了个*,变成了

rm path/myfile.txt *

赶紧ls,发现所有代码都化为了乌有,还没提交,还没备份。删除时还不确认。一秒钟,世界就清净了。

带着侥幸的心情四处寻找,并无一处压缩包备份。有一些备份的地方也是很早期的工作。

欲哭无泪。

所以linux的rm删除时不先备份,真是要不得。难怪很多人rm时左看右看得过个半分钟才敢下手。有人建议直接将root下的rm改成mv的别名。

没办法,必须恢复。

机器在机房里,也不能断电拔硬盘或者重启。

立即挂载只读

首先,需立即将磁盘挂载为只读。

否则其他daemons 都来读写,神仙都恢复不了了。磁盘规划时一定要做功能分区。否则,误删了想恢复也很困难。比如linux安装时不分区整个装/下面,就很麻烦。

# /data挂在/dev/sdb1上
mount
/dev/sdb1 on /data type ext4 (rw)

mount -r -n -o remount /data
mount: /data is busy

# 这需看看有哪些进程在用,可以看到有很多java和hadoop进程在使用,杀之。
fuser -v -m /data

# 重新mount成只读
mount -r -n -o remount /data

# 再到/data里测试touch文件,报错。
touch a
touch: cannot touch `a’: Read-only file system

一下就放轻松了很多。因为改为只读挂载后,可以慢慢恢复,再也不用担心我的文件被覆盖。

使用debugfs

用debugfs查找被删文件的inode,再想法恢复。

debugfs /dev/sdb1
debugfs 1.41.12 (17-May-2010)

debugfs:
debugfs: lsdel
Inode Owner Mode Size Blocks Time deleted
0 deleted inodes found.

神奇的debugfs 根本没找到有文件被删除的inodes,难道是我不会用?

失败!

使用grep恢复

grep 在磁盘二进制中查找文本,把前后的字符导出来,也许可以恢复部分。

grep -a -B 100 -A 100 'active.sh' /dev/sdb1 > results.txt

只有一些乱七八糟的二进制。

失败!

使用ext3grep

我的是ext4系统,根本不起作用。

只好寻找专业工具

用testdisk 6.14

使用介绍:http://www.cgsecurity.org/wiki/TestDisk%3a_undelete_file_for_ext2

下载:wget http://www.cgsecurity.org/testdisk-6.14.linux26-x86_64.tar.bz2

cd testdisk-6.14
ls
Android.mk ChangeLog documentation.html fidentify_static INFO l photorec.8 README testdisk.8 testdisk_static VERSION
AUTHORS COPYING fidentify.8 ico jni NEWS photorec_static readme.txt testdisk.log THANKS

./testdisk_static
TestDisk 6.14, Data Recovery Utility, July 2013
Christophe GRENIER <grenier@cgsecurity.org>

http://www.cgsecurity.org

1 P MS Data 2048 7811889151 7811887104 [primary]
Directory /

>drwxr-xr-x 500 500 4096 28-Aug-2013 13:41 .
drwxr-xr-x 500 500 4096 28-Aug-2013 13:41 ..
drwxrwxrwx 500 500 16384 18-Jul-2013 15:42 lost+found
drwxrwxrwx 500 500 12288 12-Sep-2013 00:36 logs

drwxrwxrwx 500 500 4096 25-Jul-2013 16:54 test1
drwxrwxr-x 500 500 4096 12-Sep-2013 03:28 statis
drwxrwxr-x 500 500 4096 12-Sep-2013 17:40 sh
drwxrwxr-x 500 500 12288 3-Sep-2013 15:28 hadoop

Next
Use Right to change directory, h to hide deleted files
q to quit, : to select the current file, a to select all files
C to copy the selected files, c to copy the current file

选到相应目录,enter,终于看到了删除的文件名,但是文件大小怎么都是0啊?

TestDisk 6.14, Data Recovery Utility, July 2013
Christophe GRENIER <grenier@cgsecurity.org>

http://www.cgsecurity.org

1 P MS Data 2048 7811889151 7811887104 [primary]
Directory /sh

drwxrwxr-x 500 500 4096 12-Sep-2013 17:40 .
drwxr-xr-x 500 500 4096 28-Aug-2013 13:41 ..
>-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 active.awk
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 active.sh
lrwxrwxrwx 500 500 13 2-Aug-2013 17:17 statis
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 dateutil.sh
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 hiveput.sh
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 multidate.sh
drwxrwxr-x 500 500 4096 3-Sep-2013 15:24 errlogs
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 hiveactive.sh
drwxrwxr-x 500 500 4096 12-Sep-2013 17:40 cps
drwxrwxr-x 500 500 4096 30-Aug-2013 15:21 TempStatsStore
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 bkactive.awk
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 test.awk
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 t.awk
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 print
-rw-rw-r-- 500 500 0 12-Sep-2013 17:40 a
-rw-rw-r-- 500 500 0 12-Sep-2013 17:40 a.txt
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 user.awk
-rw-rw-r-- 500 500 0 12-Sep-2013 17:40 luan
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 cps.sh
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 hivenewdev.sh
-rw-rw-r-- 500 500 0 12-Sep-2013 17:40 hive2mysql.sh
-rw-rw-r-- 500 500 0 12-Sep-2013 17:40 py
lrwxrwxrwx 500 500 12 26-Aug-2013 09:34 userdata
lrwxrwxrwx 500 500 10 26-Aug-2013 09:34 bidata
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 bi.awk
-rw-r--r-- 500 500 0 12-Sep-2013 17:40 luandoutang_09_900037.csv
-rw-rw-r-- 500 500 0 12-Sep-2013 17:40 luan1
-rwxr-xr-x 500 500 0 12-Sep-2013 17:40 luan.awk
-rwxr-xr-x 500 500 0 12-Sep-2013 17:40 luan.sh
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 dvid_price.awk
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 cid_price.awk
lrwxrwxrwx 500 500 15 9-Sep-2013 13:33 adsdkdata
-rw-rw-r-- 500 500 0 12-Sep-2013 17:40 0908.txt
-rw-rw-r-- 500 500 0 12-Sep-2013 17:40 09081.txt
-rw-rw-r-- 500 500 0 12-Sep-2013 17:40 09.txt
drwxrwxr-x 500 500 4096 9-Sep-2013 16:22 pid

TestDisk 6.14, Data Recovery Utility, July 2013

Please select a destination where /sh/active.awk will be copied.
Keys: Arrow keys to select another directory
C when the destination is correct
Q to quit

用a 选择所有文件,C 备份,选一个备份到的目录,确认。

进去一看,文件名都恢复了,但文件内容都是空的。号称能恢复ext4的testdisk恢复失败。

又下了新版testdisk-7.0-WIP.linux26-x86_64.tar.bz2,一样的问题。

用extundelete-0.2.4恢复

注:/data为只读挂载,此步骤原文中的命令参数有误,不应将恢复目录指向/data/sh,且与按上文的--restore-directory参数的说明不符,这应该是恢复失败的真实原因。

[root@hs12 src]# ./extundelete /dev/sdb1 --restore-directory /data/sh
NOTICE: Extended attributes are not restored.
Loading filesystem metadata … 29800 groups loaded.
Loading journal descriptors … 28266 descriptors loaded.
Failed to restore file /data/sh
Could not find correct inode number past inode 2.
Try altering the filename to one of the entries listed below.
File name | Inode number | Deleted status
. 2
.. 2
lost+found 11
logs 195821569
dfs 14942209
mapred 165806081
bidata 221380609
userdata 3407873
trackdata 112459777
adsdkdata 135135233
test 227409921
a.tar.gz 12
t1 13 Deleted
test1 227278849
statis 109051905
sh 24641537
hadoop 59506689
./extundelete: Operation not permitted while restoring directory.
./extundelete: Operation not permitted when trying to examine filesystem
[root@hs12 src]# ./extundelete /dev/sdb1 --restore-file /data/sh/active.awk
NOTICE: Extended attributes are not restored.
Loading filesystem metadata … 29800 groups loaded.
Loading journal descriptors … 28266 descriptors loaded.
Failed to restore file /data/sh/active.awk
Could not find correct inode number past inode 2.
Try altering the filename to one of the entries listed below.
File name | Inode number | Deleted status
. 2
.. 2
lost+found 11
logs 195821569
dfs 14942209
mapred 165806081
bidata 221380609
userdata 3407873
trackdata 112459777
adsdkdata 135135233
test 227409921
a.tar.gz 12
t1 13 Deleted
test1 227278849
statis 109051905
sh 24641537
hadoop 59506689
./extundelete: Operation not permitted while restoring file.
./extundelete: Operation not permitted when trying to examine filesystem

查看,脚本都在。

整个恢复成功。

所以唯一成功的是extundelete ,并且不能指定文件和目录,而是全部恢复,才能成功。

一块石头落了地:)

经验提供给后来者,一定要备份,磁盘要功能分区。rm命令要 alias rm=”rm -i”.