I was experiencing some strange problems with my server today, so I restarted (something I am not used to having to do with Linux.) When Ubuntu started booting, it suddenly stopped and gave me a command line that looked very different from the terminal window I am used to. At this point I was very suspicious, so I started browsing around. I opened the /usr directory and there was only a folder called "lib", and the folders for the normal users were gone. I opened this folder and inside was a folder called "usplash", which has a file inside called "usplash-artwork.so". Almost everything on the hard drive is gone, and in the /var folder as well as almost every folder, there is just another folder called "lock". I am really confused as to why my server was hacked, as well as how the person did it (if it wasn't hacked then I am even more confused.) The server had only been up for 2 days and no popular web sites were hosted on it. Any help would be appreciated, as I don't want this to happen again. I haven't formatted the system yet, in case some of the files might be useful in helping me figure out what happened.

Thanks in advance for any help,

andyarchy

Are you getting any kind of errors displayed on the screen during the boot process that might suggest it's a hardware failure or filesystem corruption? Try booting using the installation CD s and see if it can identify the linux install.

Also could you describe some of the "problems" that you experienced before rebooting?

Thanks for the fast reply,

The message I get when booting up is:

"BusyBox v1.01 (Debian 1:1.01-4ubuntu3) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

/bin/sh: can't access tty; job control turned off"

Before I restarted, the strange things started happening in the GUI (I was using the GUI for a few minutes because I am somewhat new to Linux.) Pictures were disappearing, programs started running very slow, and normal commands such as "apt-get" weren't working.

-andyarchy

Are there any other messages displayed when the system is booting?

What where you doing prior to the system acting weird? Did you modify anything or change any configs?

There are no other messages when booting. Prior to the problems, I was just sitting down to the computer and opening the terminal. I didn't type any commands (in fact I had just gotten home from school at the time) and everything was working fine in the morning when I left.

Yeah, I would definitely try to reboot using your install CDs and go into repair mode. From there you can try to find any linux installations already on the disk and repair them if necessary. If the filesystem was hosed by an attacker, then it's unlikely that there is really going to be any evidence to try to find, unless you recovered the deleted filesystem off the disk but that is a fairly complex procedure that is not particularly user friendly. I think a hardware (disk) failure or filesystem corruption is equally as likely as a hack (if not more so).

try rebuilding the partition

it sounds like you might have been dropped to an initial ramdisk's shell... this would explain why all your stuff seemed to be gone... maybe check to see what "df -hT" shows to verify you are on the filesystem you think you are in... that said, there's a thread here with several accounts of the same issue on ubuntu... it seems to me like at least 2 people were able to fix this by editing their /boot/grub/menu.lst file (the idea being that it was automatically edited in an erroneous manner by an apt-get upgrade or something of that nature)...

I see nothing strange. As Win32sux said, you are in your initramfs so it is not your harddisk that you see, just an archive containing the minimal things for /sbin/init to run.

Did you play with USplash before that error? Try running

The command prompt I get doesn't recognize the sudo command, or any of the other commands that have been suggested to me as part of a fix. At this point I'm not worried about fixing the problem, just preventing it from happening again (I'm just going to reformat since I was planning on moving to a different hard drive anyways.) Also, after I format should I use Ubuntu 6.06 again or is it worth the download to use the new 7.04?

Thanks again for the help,
andyarchy