Deleted files from linux using find and need to fix
I was trying to remove this trojan that copied itself across my system and after successfully seeing all instances of the trojan using find / -name trojan I then did find / -delete -name trojan and immediately starting seeing "Operation not permitted" on files that were not related to the trojan so I killed the command with Ctrl-C but now I am having some problems.
From what I can tell, my important files are still there, and I haven't been able to figure out what it deleted, however I cannot open a new terminal window, I get a message saying '/bin/bash' No such file or directory, however if I open the file explorer it shows that bash is in /bin as well as all the other bin files. Additionally I still have a terminal open, but the only commands that work are the builtin ones (cd, echo, etc) If I try to do even ls, I get that /bin/ls cannot be found. Similarly if I type any command that is not builtin I get the same message but it tells me exactly where the file is (I can see it in explorer) bu then says no such file or directory.
How can I recover from this? Is there a way to find out what my system is missing?
ubuntu files find data-recovery
edited Jan 24 '18 at 0:42
Jeff Schaller
38.8k1053125
asked Jan 23 '18 at 23:57
fjames003
132
|
show 8 more comments
I was trying to remove this trojan that copied itself across my system and after successfully seeing all instances of the trojan using find / -name trojan I then did find / -delete -name trojan and immediately starting seeing "Operation not permitted" on files that were not related to the trojan so I killed the command with Ctrl-C but now I am having some problems.
From what I can tell, my important files are still there, and I haven't been able to figure out what it deleted, however I cannot open a new terminal window, I get a message saying '/bin/bash' No such file or directory, however if I open the file explorer it shows that bash is in /bin as well as all the other bin files. Additionally I still have a terminal open, but the only commands that work are the builtin ones (cd, echo, etc) If I try to do even ls, I get that /bin/ls cannot be found. Similarly if I type any command that is not builtin I get the same message but it tells me exactly where the file is (I can see it in explorer) bu then says no such file or directory.
How can I recover from this? Is there a way to find out what my system is missing?
ubuntu files find data-recovery
edited Jan 24 '18 at 0:42
Jeff Schaller
38.8k1053125
asked Jan 23 '18 at 23:57
fjames003
132
5
You deleted essential files, there is no incantation that will bring them back. Backup what you need if it is still there and reinstall the system.
– Rui F Ribeiro
Jan 24 '18 at 0:03
@RuiFRibeiro you don't think I could boot from a live usb and install essential files, any command that was running is still running so I know commands work, they just aren't linked properly now. Anything that I have thought to check is still there.
– fjames003
Jan 24 '18 at 0:13
2
You're not supposed to put-deletein front of-name.
– Chai T. Rex
Jan 24 '18 at 0:14
1
@fjames003 too much work trying to recover the system, either restore it from backups or reinstall. No use crying over spilt milk.
– Rui F Ribeiro
Jan 24 '18 at 0:29
3
yes. find does things in the order they appear on the command line. by default, predicates are ANDed (-a) with previous predicates, but you can use-oto override that and OR them. You can also use parentheses (escaped in sh( ... )) to control order of evaluation.find's command line is a fairly complex language and takes some getting used to. e.g.find / -delete -name trojanmeans "find everything under /, then delete all matches, then search for files with name trojan".find / -name trojan -deletemeans "find everything under / with name trojan and delete them".
– cas
Jan 24 '18 at 1:14
|
show 8 more comments
I was trying to remove this trojan that copied itself across my system and after successfully seeing all instances of the trojan using find / -name trojan I then did find / -delete -name trojan and immediately starting seeing "Operation not permitted" on files that were not related to the trojan so I killed the command with Ctrl-C but now I am having some problems.
From what I can tell, my important files are still there, and I haven't been able to figure out what it deleted, however I cannot open a new terminal window, I get a message saying '/bin/bash' No such file or directory, however if I open the file explorer it shows that bash is in /bin as well as all the other bin files. Additionally I still have a terminal open, but the only commands that work are the builtin ones (cd, echo, etc) If I try to do even ls, I get that /bin/ls cannot be found. Similarly if I type any command that is not builtin I get the same message but it tells me exactly where the file is (I can see it in explorer) bu then says no such file or directory.
How can I recover from this? Is there a way to find out what my system is missing?
ubuntu files find data-recovery
edited Jan 24 '18 at 0:42
Jeff Schaller
38.8k1053125
asked Jan 23 '18 at 23:57
fjames003
132
I was trying to remove this trojan that copied itself across my system and after successfully seeing all instances of the trojan using find / -name trojan I then did find / -delete -name trojan and immediately starting seeing "Operation not permitted" on files that were not related to the trojan so I killed the command with Ctrl-C but now I am having some problems.
From what I can tell, my important files are still there, and I haven't been able to figure out what it deleted, however I cannot open a new terminal window, I get a message saying '/bin/bash' No such file or directory, however if I open the file explorer it shows that bash is in /bin as well as all the other bin files. Additionally I still have a terminal open, but the only commands that work are the builtin ones (cd, echo, etc) If I try to do even ls, I get that /bin/ls cannot be found. Similarly if I type any command that is not builtin I get the same message but it tells me exactly where the file is (I can see it in explorer) bu then says no such file or directory.
How can I recover from this? Is there a way to find out what my system is missing?
ubuntu files find data-recovery
ubuntu files find data-recovery
edited Jan 24 '18 at 0:42
Jeff Schaller
38.8k1053125
asked Jan 23 '18 at 23:57
fjames003
132
edited Jan 24 '18 at 0:42
Jeff Schaller
38.8k1053125
asked Jan 23 '18 at 23:57
fjames003
132
edited Jan 24 '18 at 0:42
Jeff Schaller
38.8k1053125
edited Jan 24 '18 at 0:42
Jeff Schaller
38.8k1053125
edited Jan 24 '18 at 0:42
Jeff Schaller
38.8k1053125
38.8k1053125
asked Jan 23 '18 at 23:57
fjames003
132
asked Jan 23 '18 at 23:57
fjames003
132
asked Jan 23 '18 at 23:57
fjames003
132
132
5
You deleted essential files, there is no incantation that will bring them back. Backup what you need if it is still there and reinstall the system.
– Rui F Ribeiro
Jan 24 '18 at 0:03
@RuiFRibeiro you don't think I could boot from a live usb and install essential files, any command that was running is still running so I know commands work, they just aren't linked properly now. Anything that I have thought to check is still there.
– fjames003
Jan 24 '18 at 0:13
2
You're not supposed to put-deletein front of-name.
– Chai T. Rex
Jan 24 '18 at 0:14
1
@fjames003 too much work trying to recover the system, either restore it from backups or reinstall. No use crying over spilt milk.
– Rui F Ribeiro
Jan 24 '18 at 0:29
3
yes. find does things in the order they appear on the command line. by default, predicates are ANDed (-a) with previous predicates, but you can use-oto override that and OR them. You can also use parentheses (escaped in sh( ... )) to control order of evaluation.find's command line is a fairly complex language and takes some getting used to. e.g.find / -delete -name trojanmeans "find everything under /, then delete all matches, then search for files with name trojan".find / -name trojan -deletemeans "find everything under / with name trojan and delete them".
– cas
Jan 24 '18 at 1:14
|
show 8 more comments
5
You deleted essential files, there is no incantation that will bring them back. Backup what you need if it is still there and reinstall the system.
– Rui F Ribeiro
Jan 24 '18 at 0:03
@RuiFRibeiro you don't think I could boot from a live usb and install essential files, any command that was running is still running so I know commands work, they just aren't linked properly now. Anything that I have thought to check is still there.
– fjames003
Jan 24 '18 at 0:13
2
You're not supposed to put-deletein front of-name.
– Chai T. Rex
Jan 24 '18 at 0:14
1
@fjames003 too much work trying to recover the system, either restore it from backups or reinstall. No use crying over spilt milk.
– Rui F Ribeiro
Jan 24 '18 at 0:29
3
yes. find does things in the order they appear on the command line. by default, predicates are ANDed (-a) with previous predicates, but you can use-oto override that and OR them. You can also use parentheses (escaped in sh( ... )) to control order of evaluation.find's command line is a fairly complex language and takes some getting used to. e.g.find / -delete -name trojanmeans "find everything under /, then delete all matches, then search for files with name trojan".find / -name trojan -deletemeans "find everything under / with name trojan and delete them".
– cas
Jan 24 '18 at 1:14
5
5
You deleted essential files, there is no incantation that will bring them back. Backup what you need if it is still there and reinstall the system.
– Rui F Ribeiro
Jan 24 '18 at 0:03
You deleted essential files, there is no incantation that will bring them back. Backup what you need if it is still there and reinstall the system.
– Rui F Ribeiro
Jan 24 '18 at 0:03
@RuiFRibeiro you don't think I could boot from a live usb and install essential files, any command that was running is still running so I know commands work, they just aren't linked properly now. Anything that I have thought to check is still there.
– fjames003
Jan 24 '18 at 0:13
@RuiFRibeiro you don't think I could boot from a live usb and install essential files, any command that was running is still running so I know commands work, they just aren't linked properly now. Anything that I have thought to check is still there.
– fjames003
Jan 24 '18 at 0:13
2
2
You're not supposed to put
-delete in front of -name.– Chai T. Rex
Jan 24 '18 at 0:14
You're not supposed to put
-delete in front of -name.– Chai T. Rex
Jan 24 '18 at 0:14
1
1
@fjames003 too much work trying to recover the system, either restore it from backups or reinstall. No use crying over spilt milk.
– Rui F Ribeiro
Jan 24 '18 at 0:29
@fjames003 too much work trying to recover the system, either restore it from backups or reinstall. No use crying over spilt milk.
– Rui F Ribeiro
Jan 24 '18 at 0:29
3
3
yes. find does things in the order they appear on the command line. by default, predicates are ANDed (
-a) with previous predicates, but you can use -o to override that and OR them. You can also use parentheses (escaped in sh ( ... )) to control order of evaluation. find's command line is a fairly complex language and takes some getting used to. e.g. find / -delete -name trojan means "find everything under /, then delete all matches, then search for files with name trojan". find / -name trojan -delete means "find everything under / with name trojan and delete them".– cas
Jan 24 '18 at 1:14
yes. find does things in the order they appear on the command line. by default, predicates are ANDed (
-a) with previous predicates, but you can use -o to override that and OR them. You can also use parentheses (escaped in sh ( ... )) to control order of evaluation. find's command line is a fairly complex language and takes some getting used to. e.g. find / -delete -name trojan means "find everything under /, then delete all matches, then search for files with name trojan". find / -name trojan -delete means "find everything under / with name trojan and delete them".– cas
Jan 24 '18 at 1:14
|
show 8 more comments
2 Answers
2
active
oldest
votes
find / -delete -name trojan
attempted to delete all files on the root filesystem. The command you meant to use is
find / -name trojan -delete
Sorry to be the bearer of bad news but your system is FUBAR. You should boot up from a live CD, copy on an external drive any important personal file might have been left on the system, then do a fresh reinstall.
answered Jan 24 '18 at 8:23
dr01
15.9k114970
add a comment |
I wrote a howto about how to recover from mass deleting files on a linux system (when it was still just ext3). My method used information from the journal however, so in general it could only recover files that were recently (eg in the last week) accessed (which causes the update of access time and therefore a copy of the inode table to the journal), or whose inodes were in the same inode block as those of files recently accessed.
You can still find my howto here: http://carlowood.github.io/howto/undelete_ext3.html
In the meantime there have been written many tutorials and even youtube vids on how to use ext3grep (use Google to search for them), as well as there is spin off project for ext3 and ext4 that might be easier to use (I never looked at it I have to admit); which you can find here: http://extundelete.sourceforge.net/
In all cases - after a mass deletion - you want to stop writing to your harddisk as soon as possible and preferably umount it - even just a shutdown Although a shutdown and thus a clean umount of your harddisk risks overwriting data because it will write more to your disk, I think it is worth it because a cleanly umounted disk is easier to recover using this method. Immediately remounting the disk readonly followed by a shutdown might be the best option. After that you have to work from a live DVD to make a copy of your disks image (using dd), or put the harddisk in another PC. Don't mount it again until you made a backup or recovered the deleted files.
answered Dec 20 '18 at 1:36
Carlo Wood
1366
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f419226%2fdeleted-files-from-linux-using-find-and-need-to-fix%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
find / -delete -name trojan
attempted to delete all files on the root filesystem. The command you meant to use is
find / -name trojan -delete
Sorry to be the bearer of bad news but your system is FUBAR. You should boot up from a live CD, copy on an external drive any important personal file might have been left on the system, then do a fresh reinstall.
answered Jan 24 '18 at 8:23
dr01
15.9k114970
add a comment |
find / -delete -name trojan
attempted to delete all files on the root filesystem. The command you meant to use is
find / -name trojan -delete
Sorry to be the bearer of bad news but your system is FUBAR. You should boot up from a live CD, copy on an external drive any important personal file might have been left on the system, then do a fresh reinstall.
answered Jan 24 '18 at 8:23
dr01
15.9k114970
add a comment |
find / -delete -name trojan
attempted to delete all files on the root filesystem. The command you meant to use is
find / -name trojan -delete
Sorry to be the bearer of bad news but your system is FUBAR. You should boot up from a live CD, copy on an external drive any important personal file might have been left on the system, then do a fresh reinstall.
answered Jan 24 '18 at 8:23
dr01
15.9k114970
find / -delete -name trojan
attempted to delete all files on the root filesystem. The command you meant to use is
find / -name trojan -delete
Sorry to be the bearer of bad news but your system is FUBAR. You should boot up from a live CD, copy on an external drive any important personal file might have been left on the system, then do a fresh reinstall.
answered Jan 24 '18 at 8:23
dr01
15.9k114970
answered Jan 24 '18 at 8:23
dr01
15.9k114970
answered Jan 24 '18 at 8:23
dr01
15.9k114970
answered Jan 24 '18 at 8:23
dr01
15.9k114970
15.9k114970
add a comment |
add a comment |
I wrote a howto about how to recover from mass deleting files on a linux system (when it was still just ext3). My method used information from the journal however, so in general it could only recover files that were recently (eg in the last week) accessed (which causes the update of access time and therefore a copy of the inode table to the journal), or whose inodes were in the same inode block as those of files recently accessed.
You can still find my howto here: http://carlowood.github.io/howto/undelete_ext3.html
In the meantime there have been written many tutorials and even youtube vids on how to use ext3grep (use Google to search for them), as well as there is spin off project for ext3 and ext4 that might be easier to use (I never looked at it I have to admit); which you can find here: http://extundelete.sourceforge.net/
In all cases - after a mass deletion - you want to stop writing to your harddisk as soon as possible and preferably umount it - even just a shutdown Although a shutdown and thus a clean umount of your harddisk risks overwriting data because it will write more to your disk, I think it is worth it because a cleanly umounted disk is easier to recover using this method. Immediately remounting the disk readonly followed by a shutdown might be the best option. After that you have to work from a live DVD to make a copy of your disks image (using dd), or put the harddisk in another PC. Don't mount it again until you made a backup or recovered the deleted files.
answered Dec 20 '18 at 1:36
Carlo Wood
1366
add a comment |
I wrote a howto about how to recover from mass deleting files on a linux system (when it was still just ext3). My method used information from the journal however, so in general it could only recover files that were recently (eg in the last week) accessed (which causes the update of access time and therefore a copy of the inode table to the journal), or whose inodes were in the same inode block as those of files recently accessed.
You can still find my howto here: http://carlowood.github.io/howto/undelete_ext3.html
In the meantime there have been written many tutorials and even youtube vids on how to use ext3grep (use Google to search for them), as well as there is spin off project for ext3 and ext4 that might be easier to use (I never looked at it I have to admit); which you can find here: http://extundelete.sourceforge.net/
In all cases - after a mass deletion - you want to stop writing to your harddisk as soon as possible and preferably umount it - even just a shutdown Although a shutdown and thus a clean umount of your harddisk risks overwriting data because it will write more to your disk, I think it is worth it because a cleanly umounted disk is easier to recover using this method. Immediately remounting the disk readonly followed by a shutdown might be the best option. After that you have to work from a live DVD to make a copy of your disks image (using dd), or put the harddisk in another PC. Don't mount it again until you made a backup or recovered the deleted files.
answered Dec 20 '18 at 1:36
Carlo Wood
1366
add a comment |
I wrote a howto about how to recover from mass deleting files on a linux system (when it was still just ext3). My method used information from the journal however, so in general it could only recover files that were recently (eg in the last week) accessed (which causes the update of access time and therefore a copy of the inode table to the journal), or whose inodes were in the same inode block as those of files recently accessed.
You can still find my howto here: http://carlowood.github.io/howto/undelete_ext3.html
In the meantime there have been written many tutorials and even youtube vids on how to use ext3grep (use Google to search for them), as well as there is spin off project for ext3 and ext4 that might be easier to use (I never looked at it I have to admit); which you can find here: http://extundelete.sourceforge.net/
In all cases - after a mass deletion - you want to stop writing to your harddisk as soon as possible and preferably umount it - even just a shutdown Although a shutdown and thus a clean umount of your harddisk risks overwriting data because it will write more to your disk, I think it is worth it because a cleanly umounted disk is easier to recover using this method. Immediately remounting the disk readonly followed by a shutdown might be the best option. After that you have to work from a live DVD to make a copy of your disks image (using dd), or put the harddisk in another PC. Don't mount it again until you made a backup or recovered the deleted files.
answered Dec 20 '18 at 1:36
Carlo Wood
1366
I wrote a howto about how to recover from mass deleting files on a linux system (when it was still just ext3). My method used information from the journal however, so in general it could only recover files that were recently (eg in the last week) accessed (which causes the update of access time and therefore a copy of the inode table to the journal), or whose inodes were in the same inode block as those of files recently accessed.
You can still find my howto here: http://carlowood.github.io/howto/undelete_ext3.html
In the meantime there have been written many tutorials and even youtube vids on how to use ext3grep (use Google to search for them), as well as there is spin off project for ext3 and ext4 that might be easier to use (I never looked at it I have to admit); which you can find here: http://extundelete.sourceforge.net/
In all cases - after a mass deletion - you want to stop writing to your harddisk as soon as possible and preferably umount it - even just a shutdown Although a shutdown and thus a clean umount of your harddisk risks overwriting data because it will write more to your disk, I think it is worth it because a cleanly umounted disk is easier to recover using this method. Immediately remounting the disk readonly followed by a shutdown might be the best option. After that you have to work from a live DVD to make a copy of your disks image (using dd), or put the harddisk in another PC. Don't mount it again until you made a backup or recovered the deleted files.
answered Dec 20 '18 at 1:36
Carlo Wood
1366
edited Dec 20 '18 at 1:42
answered Dec 20 '18 at 1:36
Carlo Wood
1366
answered Dec 20 '18 at 1:36
Carlo Wood
1366
answered Dec 20 '18 at 1:36
Carlo Wood
1366
1366
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f419226%2fdeleted-files-from-linux-using-find-and-need-to-fix%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
5
You deleted essential files, there is no incantation that will bring them back. Backup what you need if it is still there and reinstall the system.
– Rui F Ribeiro
Jan 24 '18 at 0:03
@RuiFRibeiro you don't think I could boot from a live usb and install essential files, any command that was running is still running so I know commands work, they just aren't linked properly now. Anything that I have thought to check is still there.
– fjames003
Jan 24 '18 at 0:13
2
You're not supposed to put
-deletein front of-name.– Chai T. Rex
Jan 24 '18 at 0:14
1
@fjames003 too much work trying to recover the system, either restore it from backups or reinstall. No use crying over spilt milk.
– Rui F Ribeiro
Jan 24 '18 at 0:29
3
yes. find does things in the order they appear on the command line. by default, predicates are ANDed (
-a) with previous predicates, but you can use-oto override that and OR them. You can also use parentheses (escaped in sh( ... )) to control order of evaluation.find's command line is a fairly complex language and takes some getting used to. e.g.find / -delete -name trojanmeans "find everything under /, then delete all matches, then search for files with name trojan".find / -name trojan -deletemeans "find everything under / with name trojan and delete them".– cas
Jan 24 '18 at 1:14