Watch as I awkwardly stumble through life

Recovering deleted files from the handlers

Posted by Marius Voila on January 11, 2012 in London, U.K . — 0 comments This post contains 123 words

On compromised servers it is very common for the exploit to delete its self/logs to hide its presence.

Even though the executable may be removed from the filesystem as the process is forked from apache2 the parent process will still have file handlers open.

This will allow you to recover log files/executables as long as you do not kill the process.

To recover the files use the following steps: