Author Archive

Finding deleted files in Linux (when an app is still running holding them open)

Posted by on Wednesday, 30 November, 2011

Sometimes files gets deleted accidentally, whilst they are still running. This also applies to things like flash videos or other things, usually temporary files or even when a server is exploited.
Sometimes you want to keep those files right? but they are deleted! but how can they be running when they are deleted?
This is what /proc is all about. Its a neat way of keeping track of information like file descriptors for each PID.
So, everyone knows what ps does, it shows you whats running .. like this

www-data 4146 2.0 2.9 62088 28292 ? S 00:00 0:02 \_ /usr/sbin/apache2 -k start
www-data 5287 0.0 0.4 42072 4536 ? S 00:01 0:00 \_ /usr/sbin/apache2 -k start
1005 27387 1.9 0.5 7940 5576 ? S Nov28 9:31 perl

Oh wait, what is that thing called ‘perl’ ? This is an example from a hacked box. I knew the application was not called ‘perl’, and since it had been sending spam i knew it was probably a bad file.
So, i wanted to find what files were open by the pid 27387 – i installed and used ‘lsof’ which gives an ls of open files.

# lsof -p 27387
perl 27387 ausername cwd DIR 202,1 4096 476065 /tmp
perl 27387 ausername rtd DIR 202,1 4096 2 /
perl 27387 ausername txt REG 202,1 1254016 100305 /usr/bin/perl
perl 27387 ausername mem REG 202,1 75472 344738 /lib/i686/nosegneg/
perl 27387 ausername mem REG 202,1 21976 344867 /lib/i686/nosegneg/
perl 27387 ausername mem REG 202,1 42504 344774 /lib/i686/nosegneg/
perl 27387 ausername mem REG 202,1 38444 345027 /lib/i686/nosegneg/
perl 27387 ausername mem REG 202,1 87804 344872 /lib/i686/nosegneg/
perl 27387 ausername mem REG 202,1 30436 344758 /lib/i686/nosegneg/
perl 27387 ausername mem REG 202,1 19816 181707 /usr/lib/perl/5.10.0/auto/Socket/
perl 27387 ausername mem REG 202,1 38296 345032 /lib/i686/nosegneg/
perl 27387 ausername mem REG 202,1 1450372 344746 /lib/i686/nosegneg/
perl 27387 ausername mem REG 202,1 116294 345030 /lib/i686/nosegneg/
perl 27387 ausername mem REG 202,1 149328 344754 /lib/i686/nosegneg/
perl 27387 ausername mem REG 202,1 9676 345034 /lib/i686/nosegneg/
perl 27387 ausername mem REG 202,1 117348 344891 /lib/
perl 27387 ausername 0r CHR 1,3 0t0 197031 /dev/null
perl 27387 ausername 1w CHR 1,3 0t0 197031 /dev/null
perl 27387 ausername 2w CHR 1,3 0t0 197031 /dev/null
perl 27387 ausername 3r REG 202,1 14782 2872816 /tmp/ (deleted)
perl 27387 ausername 4wW REG 202,1 0 2872817 /tmp/…

Edit: You can use lsof +L1 -p pid/27387 to only show deleted items – thanks Jeffrey Caughel

Sorry for verbosity there, but its required. Ok, now you can see the line that has (deleted) – this is what we want. The 4th line over tells me its using the file descriptor 3 (ignore the r after it for now)

So to access that file, i look at /proc/27387/fd/3 – often its best to copy that file elsewhere before it gets deleted (ie if program is closed). The first number is the pid, the fd is the file descriptor , and the last is the script itself which was deleted – in this case a spaming perl script.
Now i knew what that script did, it was not touching the filesystem just sending spam, so i knew it was safe to kill it.
This is also handy for saving youtube videos or when you accidentally rm -rf /etc or /bin when things are still running 🙂

Remote printing at home via DropBox

Posted by on Sunday, 26 June, 2011

So, i want to often print things, however rarely am i at home to print, and by the time i get there i forget entirely about it. This is something i did one sunday evening to get printing on pretty much every device in the house to my home printer, at home or at work, or even on the road!

First of all, i setup myself a dropbox account (which is free). This is a file sharing ‘cloud’ style service which is fairly well known and popular.
I installed dropbox on my phone, my iPod touch, Work PC, Home Laptops or other computers and pretty much everything that supported it.

I used these Step by Step instructions to set it up on my gateway (which also has the printer attached) via a command line interface

Once i had it mounted on the gateway/printing box, i ran the following commands

cd ~/Dropbox/
mkdir printer
cd printer
mkdir new done

This gives me a directory structure to work with for printing. The idea was to have a script poll the ‘new’ directory, and anything in there got sent to the printer, then moved to the ‘done’ directory. Should it not print correctly i can grab it from the done dir and retry later on.
I wrote a script named ‘’ and looked like this

for file in `ls /home/velofille/Dropbox/printer/new/`
do lp -d laser /home/velofille/Dropbox/printer/new/$file  | mail -s "Print Job"
mv /home/velofille/Dropbox/printer/new/$file /home/velofille/Dropbox/printer/done/
chmod +x

I ran a few tests to make sure this worked ok, and sorted out a few printer driver errors. Once i had that working nicely, i added the pipe to my email address so i could confirm it printed (and any errors), then setup a crontab
*/5 * * * * /home/velofille/Dropbox/printer/ >/dev/null 2>&1

That’s pretty much it in a nutshell, not overly complex or hard, the main thing will be making sure the Dropbox stays up and going.
To do this, i have the following shell script called

if ! ps ax | grep -v grep | grep $SERVICE > /dev/null
/home/velofille/.dropbox-dist/dropbox &
echo "$SERVICE is not running! Had to restart it" | mail -s "$SERVICE down"
chmod +x

I then also put another crontab exactly the same as the printer one to run this

*/5 * * * * /home/velofille/bin/ >/dev/null 2>&1

Now i can print from pretty much anywhere in the world by simply dropping a file into a dropbox directory , then have an emailed report when that printed!

Finding and deleting duplicate files

Posted by on Wednesday, 20 October, 2010

Okay, so you have a huge pile of mp3s and somehow managed to copy them repeatedly somewhere and now only want one copy of each? (hey! i do this all the time copying them from machine to machine!).
Best way to check that they are “identical” is with md5sum. This is how i deal with my problem.

find ./ -type f | while read file ; do md5sum "$file" >> md5list ; done # this gives me a file called md5sum with all the filenames and their md5sum
cat md5list | awk '{print $1}' | sort | uniq -c |grep -v 1\ | awk '{print $2}' >duplist # this checks for files with duplicate md5sum 
for i in `cat duplist` ; do grep $i md5list | sed "1,1d"| sed s/$i// >>rmlist; done # this outputs a list of files minus the first/top one so we are still left with one copy
cat rmlist  | while read line ; do mkdir bin ; echo removing $line ;mv "$line" bin/; done # this moves them all to a dir called bin/ which you can remove later
echo check bin/ for any files you accidently deleted # letting you know the above!

You probably want to remove the files md5list duplist and rmlist after you are done 🙂