Hi,

I have a Red Hat linux 7.2 installation which got hacked and it looks like the original init has been replaced. The date stamp on init is the day the httpd server stopped working and the system would no longer boot. Also, if I start up the system using "Linux Rescue" from the 1st CD-ROM, and then start init from the command line part of the message displayed is "Starting backdoor daemon" which leads me to believe that the system has been hacked.

I have tried just about everything and am unable to start the system. So I plan to format the hard drive and reinstall the system. However, I am trying to save all my data.

While the system was working, the hard drive (SCSI) had the following 3 partitions:

1. sda1: /boot
2. sda2: /
3. sda3: SWAP

The SWAP partition was 500 MB.

Using Disk Druid on the 1st CD-ROM I have now reformated the sda3 partition and mounted it as /backup (ext3 file system) and I no longer have a SWAP partition. My intention in doing this is to transfer my data to the /backup partition, then format sda1, delete sda2 and in its place, create 2 new partitions one of which will be mounted as root "/" and the other as a SWAP partition. After reinstalling the system, I hope to then transfer my data from the /backup partition to the "/" partition.

Using "Linux Rescue" I get to the command prompt which is:
sh-2.05#

At this point I did: chroot /mnt/sysimage and the command prompt is now: / #

If I do ls -l at this point I see the /backup directory which was not there when I had a SWAP partition.

My question is: Is this "backup" directory actually on sda3 or is it on sda2 as it shows up in the directory listing of "/" which is on sda2. Before I format sda2, I jsut want to be sure that I don't desctroy the "backup" directory.

Will appreciate help from any of you.

Thanks.

Rajan

If you want to re-assure yourself, run a plain "mount" command. This will tell you what partitions are mounted where.

You can also copy something over to the /backup , then unmount it with "umount /backup". "ls /backup" to make sure what you copied there isn't there after you unmounted. Re-mount the /backup, and ls again to make sure it's returned.

Thanks Ranger Nemo. I followed your suggestions which are just perfect. However, I now have nother related question.

I copied my data over to /backup and cofirmed that it was in /backup by doing "ls /backup". Next, I unmounted /backup with "umount /dev/sda3".

Next at "/" I did "ls -l" and /backup was displayed. However, when I did "ls /backup", the directory was empty (presumably because it was unmounted.) So, if the directory was empty, why did it show up when I did "ls -l" at "/" ? Also at this stage I issued the command "mount" and /dev/sda3 was not displayed (as expected).

Next I tried to remount /dev/sda3 by doing "mount /dev/sda3" but I got the following message: "mount: can't find /dev/sda3 in /etc/fstab or /etc/mtab". However, when I did "mount backup" /dev/sda3 was remounted which I confirmed my doing a plain "mount". Also, all my data was now displayed in /backup. Could you please explain this apparent discrepancy?

Thanks again.