{"id":2196,"date":"2017-12-07T13:00:51","date_gmt":"2017-12-07T13:00:51","guid":{"rendered":"http:\/\/www.scmgalaxy.com\/tutorials\/?p=2196"},"modified":"2020-01-09T09:45:38","modified_gmt":"2020-01-09T09:45:38","slug":"recovering-a-recently-opended-deleted-files","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/recovering-a-recently-opended-deleted-files\/","title":{"rendered":"Recovering a Recently opended deleted files"},"content":{"rendered":"<p><strong>rajeshkumar created the topic: Recovering a Recently opended deleted files<\/strong><br \/>\nRecovering a Recently opended deleted files<br \/>\nBy using lsof, you can recover a deleted file that was opened already. This comes very handy when attacker gain access to the systems and has executed commands or has done some configuration changes, and then removes the log file(s) to erase evidence. A sysadmin can use this method to recover the filles which has been opened by some processess to check what all the hacker has changed.<\/p>\n<p>The lsof &#8211; list open file is the command used for this:<\/p>\n<p>lsof | grep &#8220;syslog&#8221; (List processess which has this file opened)<\/p>\n<p>rsyslog\t998\troot\t1w\tREG\t8,3\t141400\t1237857\t\/var\/log\/syslog<\/p>\n<p>Here the process 990 (PID) has opened the file &#8216;\/var\/log\/syslog&#8217; with the descriptor a &#8216;1&#8217;(1W).<\/p>\n<p>To recover the content of the file, just run the following commands&#8230;<\/p>\n<p>cat \/proc\/990\/fd\/1 > syslog.safe<\/p>\n<p>you will have the content of the file stored in syslog.safe<br \/>\nRegards,<br \/>\nRajesh Kumar<br \/>\nTwitt me @ <a href=\"http:\/\/twitter.com\/RajeshKumarIn\" target=\"_blank\" rel=\"noopener\">twitter.com\/RajeshKumarIn<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>rajeshkumar created the topic: Recovering a Recently opended deleted files Recovering a Recently opended deleted files By using lsof, you can recover a deleted file that was opened already. This&#8230; <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[454],"tags":[458],"class_list":["post-2196","post","type-post","status-publish","format-standard","hentry","category-shell-script","tag-recently"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/2196","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=2196"}],"version-history":[{"count":1,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/2196\/revisions"}],"predecessor-version":[{"id":2197,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/2196\/revisions\/2197"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=2196"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=2196"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=2196"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}