Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a Red Hat linux 7.2 installation which got hacked and it looks like the original init has been replaced. The date stamp on init is the day the httpd server stopped working and the system would no longer boot. Also, if I start up the system using "Linux Rescue" from the 1st CD-ROM, and then start init from the command line part of the message displayed is "Starting backdoor daemon" which leads me to believe that the system has been hacked.
I have tried just about everything and am unable to start the system. So I plan to format the hard drive and reinstall the system. However, I am trying to save all my data.
While the system was working, the hard drive (SCSI) had the following 3 partitions:
1. sda1: /boot
2. sda2: /
3. sda3: SWAP
The SWAP partition was 500 MB.
Using Disk Druid on the 1st CD-ROM I have now reformated the sda3 partition and mounted it as /backup (ext3 file system) and I no longer have a SWAP partition. My intention in doing this is to transfer my data to the /backup partition, then format sda1, delete sda2 and in its place, create 2 new partitions one of which will be mounted as root "/" and the other as a SWAP partition. After reinstalling the system, I hope to then transfer my data from the /backup partition to the "/" partition.
Using "Linux Rescue" I get to the command prompt which is:
sh-2.05#
At this point I did: chroot /mnt/sysimage and the command prompt is now: / #
If I do ls -l at this point I see the /backup directory which was not there when I had a SWAP partition.
My question is: Is this "backup" directory actually on sda3 or is it on sda2 as it shows up in the directory listing of "/" which is on sda2. Before I format sda2, I jsut want to be sure that I don't desctroy the "backup" directory.
If you want to re-assure yourself, run a plain "mount" command. This will tell you what partitions are mounted where.
You can also copy something over to the /backup , then unmount it with "umount /backup". "ls /backup" to make sure what you copied there isn't there after you unmounted. Re-mount the /backup, and ls again to make sure it's returned.
Thanks Ranger Nemo. I followed your suggestions which are just perfect. However, I now have nother related question.
I copied my data over to /backup and cofirmed that it was in /backup by doing "ls /backup". Next, I unmounted /backup with "umount /dev/sda3".
Next at "/" I did "ls -l" and /backup was displayed. However, when I did "ls /backup", the directory was empty (presumably because it was unmounted.) So, if the directory was empty, why did it show up when I did "ls -l" at "/" ? Also at this stage I issued the command "mount" and /dev/sda3 was not displayed (as expected).
Next I tried to remount /dev/sda3 by doing "mount /dev/sda3" but I got the following message: "mount: can't find /dev/sda3 in /etc/fstab or /etc/mtab". However, when I did "mount backup" /dev/sda3 was remounted which I confirmed my doing a plain "mount". Also, all my data was now displayed in /backup. Could you please explain this apparent discrepancy?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.