如何从 Linux 中删除具有 Extents 属性的文件

tag-icon tag-icon linux centos ext4
如何从 Linux 中删除具有 Extents 属性的文件

在 CentOS、ext4 文件系统中,我有一个具有“extents”属性的文件,但我无法删除该文件

-------------e-- index.php

rm -f什么都不做(我也没有收到错误消息)

尝试使用 删除该属性,chattr但是,正如文档所述,它不能使用 删除chattr

在互联网上找不到这个。只有它是什么,但没有如何删除该文件。

添加strace rm -rf跟踪

execve("/usr/bin/rm", ["rm", "-rf", "index.php"], 0x7ffeaa85f270 /* 23 vars */) = 0
brk(NULL)                               = 0x900000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fbe0ed2e000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=44848, ...}) = 0
mmap(NULL, 44848, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fbe0ed23000
close(3)                                = 0
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`&\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=2156592, ...}) = 0
mmap(NULL, 3985920, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fbe0e740000
mprotect(0x7fbe0e904000, 2093056, PROT_NONE) = 0
mmap(0x7fbe0eb03000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1c3000) = 0x7fbe0eb03000
mmap(0x7fbe0eb09000, 16896, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fbe0eb09000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fbe0ed22000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fbe0ed20000
arch_prctl(ARCH_SET_FS, 0x7fbe0ed20740) = 0
access("/etc/sysconfig/strcasecmp-nonascii", F_OK) = -1 ENOENT (No such file or directory)
access("/etc/sysconfig/strcasecmp-nonascii", F_OK) = -1 ENOENT (No such file or directory)
mprotect(0x7fbe0eb03000, 16384, PROT_READ) = 0
mprotect(0x60d000, 4096, PROT_READ)     = 0
mprotect(0x7fbe0ed2f000, 4096, PROT_READ) = 0
munmap(0x7fbe0ed23000, 44848)           = 0
brk(NULL)                               = 0x900000
brk(0x921000)                           = 0x921000
brk(NULL)                               = 0x921000
open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=106172832, ...}) = 0
mmap(NULL, 106172832, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fbe081fe000
close(3)                                = 0
ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
lstat("/", {st_mode=S_IFDIR|0555, st_size=4096, ...}) = 0
newfstatat(AT_FDCWD, "index.php", {st_mode=S_IFREG|0444, st_size=4532, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlinkat(AT_FDCWD, "index.php", 0)      = 0
lseek(0, 0, SEEK_CUR)                   = -1 ESPIPE (Illegal seek)
close(0)                                = 0
close(1)                                = 0
close(2)                                = 0
exit_group(0)                           = ?
+++ exited with 0 +++

STRACEunlink

execve("/usr/bin/unlink", ["unlink", "index.php"], 0x7ffe5da1b8f8 /* 23 vars */) = 0
brk(NULL)                               = 0x25fe000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3f6d901000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=44848, ...}) = 0
mmap(NULL, 44848, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f3f6d8f6000
close(3)                                = 0
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`&\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=2156592, ...}) = 0
mmap(NULL, 3985920, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f3f6d313000
mprotect(0x7f3f6d4d7000, 2093056, PROT_NONE) = 0
mmap(0x7f3f6d6d6000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1c3000) = 0x7f3f6d6d6000
mmap(0x7f3f6d6dc000, 16896, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3f6d6dc000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3f6d8f5000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3f6d8f3000
arch_prctl(ARCH_SET_FS, 0x7f3f6d8f3740) = 0
access("/etc/sysconfig/strcasecmp-nonascii", F_OK) = -1 ENOENT (No such file or directory)
access("/etc/sysconfig/strcasecmp-nonascii", F_OK) = -1 ENOENT (No such file or directory)
mprotect(0x7f3f6d6d6000, 16384, PROT_READ) = 0
mprotect(0x605000, 4096, PROT_READ)     = 0
mprotect(0x7f3f6d902000, 4096, PROT_READ) = 0
munmap(0x7f3f6d8f6000, 44848)           = 0
brk(NULL)                               = 0x25fe000
brk(0x261f000)                          = 0x261f000
brk(NULL)                               = 0x261f000
open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=106172832, ...}) = 0
mmap(NULL, 106172832, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f3f66dd1000
close(3)                                = 0
unlink("index.php")                     = 0
close(1)                                = 0
close(2)                                = 0
exit_group(0)                           = ?
+++ exited with 0 +++

答案1

范围属性可能是一个转移注意力的东西。也许您确实正在删除该文件,但它很快又被创建(通过恶意进程),以至于您没有注意到删除有效?

相关内容