LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-06-2007, 04:22 AM   #1
ts4tomh
LQ Newbie
 
Registered: May 2007
Location: Oregon
Posts: 2

Rep: Reputation: 0
Problem mounting partitions on a Ghost copy of running system


I have inherited the task of maintaining a small mail/http server, and I'm not adept in Linux. We got hacked, and I need to restore some files. I think that's called baptism by fire, right?

There is a full copy of the disk image, on an identical hard drive, made using Ghost, which contains the files I need. When I plug the drive in as a secondary IDE device, seen at hdb, I can mount (to /mnt) hdb1 (containing /boot), hdb2 (containing /home), and hdb3 (containing /). The copy of /boot and /home show files, but when I mount the copy of /, ls shows no files present, even thought df shows the partition as partly used.

I note that although /dev/hda3 is mounted as ext3, I get "wrong fs type" when I attempt to mount /dev/hdb3 as ext3. It loads as ext2 by default.

Where am I missing the boat? Do I fix this by adding records to /etc/fstab?

Humble thanks in advance....
 
Old 05-06-2007, 05:31 AM   #2
stress_junkie
Senior Member
 
Registered: Dec 2005
Location: Massachusetts, USA
Distribution: Ubuntu 10.04 and CentOS 5.5
Posts: 3,873

Rep: Reputation: 332Reputation: 332Reputation: 332Reputation: 332
I will start by mentioning one item and then moving on. If you are not familiar with Linux then how do you know that your machine was hacked?

OK. Let's put that issue aside.

The next thing is that you say that your backups are made by using Norton Ghost. That product doesn't work on Linux.

OK. Let's put that issue aside as well.

It seems that you are mainly interested in mounting the partitions of the backup drive. The first thing is to be able to see what is already mounted. You use the mount command with no parameters to see what partitions are mounted.
Code:
mount
/dev/hda6 on / type ext3 (rw)
none on /proc type proc (rw)
none on /proc/bus/usb type usbfs (rw)
none on /sys type sysfs (rw)
/dev/hda5 on /var/sys.common type ext3 (rw,noexec)
/var/sys.common/tmp.loop on /tmp type ext3 (rw,noexec,loop=/dev/loop0)
/var/sys.common/var-tmp.loop on /var/tmp type ext3 (rw,noexec,loop=/dev/loop1)
/var/sys.common/folding-home.loop on /var/my.chroot type ext3 (rw,loop=/dev/loop2)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
/dev/mapper/truecrypt0 on /home type ext3 (rw,noexec,nosuid,sync)
Here you can see in the first line generated by the mount command that /dev/hda6 is mounted on / and that it has an ext3 file system and it is mounted read-write.

If I read your post correctly you are mounting each of the partitions of the backup drive to /mnt of the running system. Hopefully you are only mounting one partition at a time and you unmount one partition before you mount another. Technically speaking you don't have to unmount one partition before you mount another but let's keep things simple. Just to be sure we are talking about the same thing here is an example of a mount command.
Code:
mount /dev/hdb3 /mnt
That should work if there is a valid file system even if there is no entry in the running system's /etc/fstab file. If you want to add a line to /etc/fstab this would work for any file system.
Code:
/dev/hdb3 /mnt auto defaults 0 0
That line tells Linux to figure out what kind of file system is on the partition.

So now you have /dev/hdb3 mounted on /mnt. You want to see what is on the partition.
Code:
ls -la /mnt
You should see at least two lines. The first line just has a dot and the second line has two dots.
Code:
ls -la /mnt
total 4
drwx------   2 root root 1024 May  6 05:28 .
drwxr-x---  32 root root 3072 May  6 05:28 ..
Post back and let us know if this is what you have done and this is what you see. I just wanted to make sure that what you are doing and what you are seeing is what your post appears to say.

Last edited by stress_junkie; 05-06-2007 at 05:45 AM.
 
Old 05-06-2007, 06:30 AM   #3
ts4tomh
LQ Newbie
 
Registered: May 2007
Location: Oregon
Posts: 2

Original Poster
Rep: Reputation: 0
Thanks for such a quick reply.

Quote:
If you are not familiar with Linux then how do you know that your machine was hacked?
I said I was not adept as opposed to not familiar. We were hacked because many files were overwritten with an HTML filled with links to some sports site in Turkey. And there is a significant item I neglected to mention: I am doing this through an SSH connection, because the login process is part of what was compromised by the hack. The hacker deleted /bin/login, as well as the entire log folder. Obviously I also haven't figured out what else in the login process was damaged, since local login still doesn't work. One thing at a time, I guess.

Quote:
The next thing is that you say that your backups are made by using Norton Ghost. That product doesn't work on Linux.
But a disk containing a Linux system can be copied by Ghost when it is plugged into a Windows system. That was what was done here, for some reason. The Ghost image was preserved on a backup machine, and Ghost Explorer can navigate the partitions and produce a list of the files.

Quote:
Here you can see in the first line generated by the mount command that /dev/hda6 is mounted on / and that it has an ext3 file system and it is mounted read-write.
And on our server, with what should be the / partition on the backup disk mounted to /mnt, I get this:

/dev/hda3 on / type ext3 (rw)
none on /proc type proc (rw)
usbdevfs on /proc/bus/usb type usbdevfs (rw)
/dev/hda1 on /boot type ext3 (rw)
none on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/hda2 on /home type ext3 (rw)
none on /dev/shm type tmpfs (rw)
/dev/hdb3 on /mnt type ext2 (rw)

"ls -la /mnt" reports no files at all. I must sleep now, so I will continue this tomorrow.

Thanks again for your quick reply.
 
Old 05-06-2007, 08:15 PM   #4
stress_junkie
Senior Member
 
Registered: Dec 2005
Location: Massachusetts, USA
Distribution: Ubuntu 10.04 and CentOS 5.5
Posts: 3,873

Rep: Reputation: 332Reputation: 332Reputation: 332Reputation: 332
Okay. I'm reading my Norton Ghost v9.0 User Manual. Page 16 says that NG supports Linux file systems ext2, ext3, and swap. I did not know that.

How are the backups made? Do you have Windows running as a virtual machine? Do you shut down Linux and start Windows to do your backups? Is the NG backup set to make a clone of the partition or an archive file? Check the backup settings.

I suspect that you are going to need to use NG to restore the files.

Last edited by stress_junkie; 05-06-2007 at 08:32 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] ntfs mounting problem: reads but can't copy deathmonkey6 Linux - Newbie 3 03-02-2007 12:21 PM
Problem mounting partitions on a device akash101 Linux - Hardware 13 03-03-2005 11:03 AM
Cloning Hard Drives and Partitions! an alternative to Norton ghost thebover Linux - Software 3 08-18-2004 04:40 PM
moving partitions and ghost xround Linux - Newbie 3 11-10-2003 03:40 PM
ghost or drive copy for linux knobby Linux - General 5 01-31-2002 06:44 AM


All times are GMT -5. The time now is 09:53 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration