Recovering deleted files from the handlers
Posted by Marius Voila on January 11, 2012 in London, U.K . — 0 comments This post contains 123 wordsOn compromised servers it is very common for the exploit to delete its self/logs to hide its presence.
Even though the executable may be removed from the filesystem as the process is forked from apache2 the parent process will still have file handlers open.
This will allow you to recover log files/executables as long as you do not kill the process.
To recover the files use the following steps:
-
Find the PID of the process with the open file handlers (use lsof)
-
cd /proc/ /fd where is what you found using lsof above
-
ls -lra and you should see a load of broken symlinks (red)
-
Copy the file using cp into another directory