Shulou(Shulou.com)06/01 Report--

This article mainly introduces "how to use the lsof command to recover the deleted log after the Linux system is invaded". In the daily operation, it is believed that many people have doubts about how to use the lsof command to recover the deleted log after the Linux system has been invaded. The editor consulted all kinds of data and sorted out a simple and useful method of operation. I hope it will be helpful to answer the question of "how to use the lsof command to restore deleted logs after the Linux system has been invaded"! Next, please follow the editor to study!

Linux system is the most common operating system of the server, of course, it is also faced with a lot of security events. Compared with the Windows operating system, Linux uses clear access control and comprehensive management tools, and has very high security and stability. After the Linux system is invaded, attackers often clear all kinds of logs in the system in order to cover their tracks, including Web access and error logs, last logs, message logs, secure logs and so on, which brings great resistance to our later emergency response and forensic analysis. Therefore, the recovery of cleared logs is a very important part of forensics and analysis. The following is a case of using the lsof command to restore log files, which is suitable for common log recovery work.

I. prerequisites

You cannot shut down the server, shut down related services or processes, such as restoring apache's access log / var/log/httpd/access_log, shut down or restart the server system, or restart the httpd service.

II. Implementation process

1. Find the relevant process pid

The code is as follows:

[root@localhost ~] # lsof | grep access_log

Httpd 1392 root 7w REG 253,0 0 263802 / var/log/httpd/access_log

Httpd 7330 apache 7w REG 253,0 0 263802 / var/log/httpd/access_log

Httpd 7331 apache 7w REG 253,0 0 263802 / var/log/httpd/access_log

Httpd 7332 apache 7w REG 253,0 0 263802 / var/log/httpd/access_log

Httpd 7333 apache 7w REG 253,0 0 263802 / var/log/httpd/access_log

Httpd 7334 apache 7w REG 253,0 0 263802 / var/log/httpd/access_log

Httpd 7335 apache 7w REG 253,0 0 263802 / var/log/httpd/access_log

Httpd 7336 apache 7w REG 253,0 0 263802 / var/log/httpd/access_log

Httpd 7337 apache 7w REG 253,0 0 263802 / var/log/httpd/access_log

Here we focus on the first, second, third, and fourth columns, which represent the process name, pid, user, and file descriptor, respectively. We see that the file descriptor here is 7w, so we should remember this 7.

two。 Retrieve the log

The code is as follows:

[root@localhost ~] # wc-l / proc/1392/fd/7

55 / proc/1392/fd/7

[root@localhost ~] # cat / proc/1392/fd/7 > / var/log/httpd/access_log

We can first view the log information through the wc or tail command, and then rewrite the log to access_log.

At this point, the study on "how to use the lsof command to recover deleted logs after the Linux system has been invaded" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.