Posts Tagged Linux

Finding deleted files in Linux (when an app is still running holding them open)

Posted by on Wednesday, 30 November, 2011

Sometimes files gets deleted accidentally, whilst they are still running. This also applies to things like flash videos or other things, usually temporary files or even when a server is exploited.
Sometimes you want to keep those files right? but they are deleted! but how can they be running when they are deleted?
This is what /proc is all about. Its a neat way of keeping track of information like file descriptors for each PID.
So, everyone knows what ps does, it shows you whats running .. like this

www-data 4146 2.0 2.9 62088 28292 ? S 00:00 0:02 \_ /usr/sbin/apache2 -k start
www-data 5287 0.0 0.4 42072 4536 ? S 00:01 0:00 \_ /usr/sbin/apache2 -k start
1005 27387 1.9 0.5 7940 5576 ? S Nov28 9:31 perl

Oh wait, what is that thing called ‘perl’ ? This is an example from a hacked box. I knew the application was not called ‘perl’, and since it had been sending spam i knew it was probably a bad file.
So, i wanted to find what files were open by the pid 27387 – i installed and used ‘lsof’ which gives an ls of open files.

# lsof -p 27387
perl 27387 ausername cwd DIR 202,1 4096 476065 /tmp
perl 27387 ausername rtd DIR 202,1 4096 2 /
perl 27387 ausername txt REG 202,1 1254016 100305 /usr/bin/perl
perl 27387 ausername mem REG 202,1 75472 344738 /lib/i686/nosegneg/
perl 27387 ausername mem REG 202,1 21976 344867 /lib/i686/nosegneg/
perl 27387 ausername mem REG 202,1 42504 344774 /lib/i686/nosegneg/
perl 27387 ausername mem REG 202,1 38444 345027 /lib/i686/nosegneg/
perl 27387 ausername mem REG 202,1 87804 344872 /lib/i686/nosegneg/
perl 27387 ausername mem REG 202,1 30436 344758 /lib/i686/nosegneg/
perl 27387 ausername mem REG 202,1 19816 181707 /usr/lib/perl/5.10.0/auto/Socket/
perl 27387 ausername mem REG 202,1 38296 345032 /lib/i686/nosegneg/
perl 27387 ausername mem REG 202,1 1450372 344746 /lib/i686/nosegneg/
perl 27387 ausername mem REG 202,1 116294 345030 /lib/i686/nosegneg/
perl 27387 ausername mem REG 202,1 149328 344754 /lib/i686/nosegneg/
perl 27387 ausername mem REG 202,1 9676 345034 /lib/i686/nosegneg/
perl 27387 ausername mem REG 202,1 117348 344891 /lib/
perl 27387 ausername 0r CHR 1,3 0t0 197031 /dev/null
perl 27387 ausername 1w CHR 1,3 0t0 197031 /dev/null
perl 27387 ausername 2w CHR 1,3 0t0 197031 /dev/null
perl 27387 ausername 3r REG 202,1 14782 2872816 /tmp/ (deleted)
perl 27387 ausername 4wW REG 202,1 0 2872817 /tmp/…

Edit: You can use lsof +L1 -p pid/27387 to only show deleted items – thanks Jeffrey Caughel

Sorry for verbosity there, but its required. Ok, now you can see the line that has (deleted) – this is what we want. The 4th line over tells me its using the file descriptor 3 (ignore the r after it for now)

So to access that file, i look at /proc/27387/fd/3 – often its best to copy that file elsewhere before it gets deleted (ie if program is closed). The first number is the pid, the fd is the file descriptor , and the last is the script itself which was deleted – in this case a spaming perl script.
Now i knew what that script did, it was not touching the filesystem just sending spam, so i knew it was safe to kill it.
This is also handy for saving youtube videos or when you accidentally rm -rf /etc or /bin when things are still running ๐Ÿ™‚

Remote printing at home via DropBox

Posted by on Sunday, 26 June, 2011

So, i want to often print things, however rarely am i at home to print, and by the time i get there i forget entirely about it. This is something i did one sunday evening to get printing on pretty much every device in the house to my home printer, at home or at work, or even on the road!

First of all, i setup myself a dropbox account (which is free). This is a file sharing ‘cloud’ style service which is fairly well known and popular.
I installed dropbox on my phone, my iPod touch, Work PC, Home Laptops or other computers and pretty much everything that supported it.

I used these Step by Step instructions to set it up on my gateway (which also has the printer attached) via a command line interface

Once i had it mounted on the gateway/printing box, i ran the following commands

cd ~/Dropbox/
mkdir printer
cd printer
mkdir new done

This gives me a directory structure to work with for printing. The idea was to have a script poll the ‘new’ directory, and anything in there got sent to the printer, then moved to the ‘done’ directory. Should it not print correctly i can grab it from the done dir and retry later on.
I wrote a script named ‘’ and looked like this

for file in `ls /home/velofille/Dropbox/printer/new/`
do lp -d laser /home/velofille/Dropbox/printer/new/$file  | mail -s "Print Job"
mv /home/velofille/Dropbox/printer/new/$file /home/velofille/Dropbox/printer/done/
chmod +x

I ran a few tests to make sure this worked ok, and sorted out a few printer driver errors. Once i had that working nicely, i added the pipe to my email address so i could confirm it printed (and any errors), then setup a crontab
*/5 * * * * /home/velofille/Dropbox/printer/ >/dev/null 2>&1

That’s pretty much it in a nutshell, not overly complex or hard, the main thing will be making sure the Dropbox stays up and going.
To do this, i have the following shell script called

if ! ps ax | grep -v grep | grep $SERVICE > /dev/null
/home/velofille/.dropbox-dist/dropbox &
echo "$SERVICE is not running! Had to restart it" | mail -s "$SERVICE down"
chmod +x

I then also put another crontab exactly the same as the printer one to run this

*/5 * * * * /home/velofille/bin/ >/dev/null 2>&1

Now i can print from pretty much anywhere in the world by simply dropping a file into a dropbox directory , then have an emailed report when that printed!

Virtual Hosting Hosting for the new sysadmin – Apache – Postfix

Posted by on Wednesday, 23 June, 2010

We have some users who own servers who dont want to fork out for automated systems like Plesk or Virtualmin, but don’t really want to deal with adding domains and email addresses all the time (and sometimes get lost)

I decided today after one such user emailed us to add another 3 domains and bunch of email addresses to write something simple to help him out, and thought I would share them with you.

I put the following in a plain text file in /root/

if [ ! $1 ];then
echo "Usage: $0"
exit 0
echo Adding the virtualhost to apache
cat >/tmp/httpd.tmp < < EOF
<VirtualHost *:80>
DocumentRoot /var/www/CHANGEME/html
ServerAlias www.CHANGEME
<directory "/var/www/CHANGEME">
allow from all
Options +Indexes
cat /tmp/httpd.tmp | sed s/CHANGEME/$1/g >> /etc/httpd/conf/httpd.conf
echo Making the directory at /var/www/$1
mkdir -p /var/www/$1/html
echo reloading apache
/etc/init.d/httpd reload
echo Adding domain to mail
echo $1 /etc/postfix/virtual_domain # this was his postfix virtual domain name list

Then run

chmod +x

Now I can add domains like this very easily

[root@hostname ~]# ./
Usage: ./
[root@hostname ~]# ./
Adding the virtualhost to apache
Making the directory at /var/www/
reloading apache
Reloading httpd:                                           [  OK  ]
Adding domain to mail
[root@hostname ~]#

Please note: do not add the โ€˜wwwโ€™ part onto the domain name. That is done in the script itself where required.

Since he had set up virtual hosting in postfix, i then created another text file at /root/ โ€“ this was so he could add email addresses easily and quickly. The contents were

if [ ! $2 ]; then
echo "Usage: $0 [username|destination] emailaddress"
exit 0
if [ -z $(echo $1 | grep @) ];then
echo Looks like a username to me, adding the user
adduser -s /sbin/nologin $1
passwd $1
echo Looks like a redirect off site, adding it as such
echo Adding the email address
echo $2  $1 >> /etc/postfix/virtual
echo Running postmap
postmap /etc/postfix/virtual
echo Reloading postfix
/etc/init.d/postfix restart

Again i run the chmod on it

chmod +x

This is how I can use it

[root@hostname ~]# ./
Usage: ./ [username|destination] emailaddress 
[root@hostname ~]# ./ julie.domain
Looks like a username to me, adding the user
Changing password for user julie.domain.
New UNIX password:
BAD PASSWORD: it is too short
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
Adding the email address
Running postmap
Reloading postfix
Shutting down postfix:                                     [  OK  ]
Starting postfix:                                          [  OK  ]
[root@hostname ~]#

Or I can use it to create an off site alias

[root@hostname ~]# ./
Looks like a redirect offsite, adding it as such
Adding the email address
Running postmap
Reloading postfix
Shutting down postfix:                                     [  OK  ]
Starting postfix:                                          [  OK  ]
[root@hostname ~]#

These were designed/written for Centos/RedHat based systems, let me know if you want it for Debian/Ubuntu based ones. Also, strictly speaking, things don’t need to be restarted, but it doesnโ€™t hurt and is a good way of testing things work ok.
There is no error checking in either of these scripts, feel free to contribute patches/fixes ๐Ÿ™‚