Created
January 16, 2018 12:33
-
-
Save naumvd95/04aa3c29f8825b029cac19ba1a4dd120 to your computer and use it in GitHub Desktop.
helpful script to investigate who remove file)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| #set -ex | |
| echo 'firstly find out remove type (ssh/nfs/locally etc..)!' | |
| echo -e '-----------------------------------------------------\n' | |
| echo 'take a look on history command in /root/.bash_history' | |
| HISTFILE=/root/.bash_history | |
| set -o history | |
| history | grep -n "rm\|mv" | |
| echo -e '-----------------------------------------------------\n' | |
| echo 'check last users' | |
| last | |
| echo -e '-----------------------------------------------------\n' | |
| echo 'check histories related to rm/vm' | |
| find /home -type f -iname .*history -exec grep "rm\|mv" {} \; | |
| echo -e '-----------------------------------------------------\n' | |
| echo 'check syslog/authlog' | |
| cat /var/log/syslog | grep -n "rm\|mv" --color || echo 'nothing interesting =(' | |
| cat /var/log/auth.log | grep -n "rm\|mv" --color || echo 'nothing interesting =(' | |
| echo -e '-----------------------------------------------------\n' | |
| if [[ "ext2" =~ $(df -Th | awk '{print $2}' | grep ext) ]]; then | |
| echo 'check debugfs support----------' | |
| mount | grep debugfs | |
| if [ $? -eq 0 ]; then | |
| echo 'use debugfs to inspect' | |
| echo -e '-----------------------------------------------------\n' | |
| echo '1.find hardware disks' | |
| df / | awk '{if (NR!=1) print $1}' | |
| echo '2. run delfs to check removed files' | |
| for i in $(df / | awk '{if (NR!=1) print $1}'); do | |
| debugfs -R 'lsdel' $i | |
| done | |
| else | |
| echo 'debugfs does not supported =(----------' | |
| fi | |
| else | |
| echo 'ext 3/4 fs doesnot support lsdel command from debugfs to check removed files' | |
| fi | |
| ##################################stage 2###################### | |
| #If u know file name and set it as argument to script | |
| if [ ! -z "$1" ]; then | |
| echo 'seems u know file name!' | |
| echo 'use lsof to inspect, maybe file still used by some proc' | |
| echo -e '-----------------------------------------------------\n' | |
| find /proc/*/fd -ls | grep '(deleted)' | grep $1 | |
| [[ $? -eq 0 ]] && echo 'lets try to restore!)'; desc_path=$(find /proc/*/fd -ls | grep '(deleted)' | grep $1 | awk '{ print $11 }') || echo 'nothing interesting, sorry =(' | |
| cp $desc_path restored_file.log | |
| echo -e '-----------------------------------------------------\n' | |
| else | |
| echo 'inspect deleted files in procfs' | |
| find /proc/*/fd -ls | grep '(deleted)' | |
| echo -e '-----------------------------------------------------\n' | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment