LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 06-13-2005, 09:03 PM   #1
ArenaKen
LQ Newbie
 
Registered: Jun 2005
Location: Canada
Posts: 2

Rep: Reputation: 0
Help Recovering Files?


Well, it looks like my server's been hacked. Nearly all of the main web site's files were deleted, and all the mysql files are gone. I went through the security logs to find the intrusions, plus there's two new folders in my FTP. One to delete files, and one to check passwords. So definitely a hacking, and not just a directory that needs to be repaired or anything like that

The problem is that two backup methods in a row stopped working on me, so the last update is very old, and the database structure has changed dramatically since then. I've been trying to find out a way to recover the files, but I barely know anything about Linux. I have a friend helping me out who knows a lot more, but he doesn't know too much about the operations related to recovering files either.

I've been trying to do a lot of research myself, but everything's just giving me such a headache. I found this tutorial on recovering files: recover.sourceforge.net/unix/ But I'm trying to find out more about it, it's kind of confusing there, and not specific enough compared to the large amount of files in the partition. Could anyone offer me some advice or help me out? It would be a shame for the site to die, it was a family based entertainment site with over two hundred thousand members, it made a lot of kids happy, but it was free to be a part of so I can't hire expensive companies to recover my software, and I can't take much time off of my work to redo it.
 
Old 06-14-2005, 12:34 AM   #2
juanbobo
Member
 
Registered: Mar 2005
Location: Chicago
Distribution: Gentoo AMD64
Posts: 365

Rep: Reputation: 30
What file system are you using?
 
Old 06-14-2005, 02:51 AM   #3
Electro
LQ Guru
 
Registered: Jan 2002
Posts: 6,042

Rep: Reputation: Disabled
I hope you are not using the drive or you remount it as read-only as soon as possible. Before any recovery, always make an image of the partition. You can put it on another partition from another drive as file or just pipe to another drive. Use `dd if=/dev/hdc of=/mnt/recoverydrv/stupiduser.idiot bs=512 conv=sync,noerrors`. The device /dev/hdc is just an example so plug in your device in place of /dev/hdc. After it is done, you can use grep. Never use the source drive. You can also use a hex editor to help you retrieve binary files. Using both grep and a hexeditor takes a lot of knowledge and time to sort through the mess. You are going to have slim to fat chance recoverying the files.

http://www.newsforge.com/article.pl?.../10/08/1416248

I'm sure that you ran web, ftp, and mySQL server as root with out knowing it. Its best to set them up to run by a user. A user has limited permission. If someone got in through one of the servers, they will have limited function with the rm utility. To safe guard to the next intruder runs the rm command, use the techinques that is describe in the link above. Its best to setup web and ftp servers so it creates a virtual directory tree.

I suggest looking for a local data recovery service, so you do not have to ship your drive to timbuktu.

All I can say is you are just SCREWD.

Next time setup a better backup scheme and schedule. Try using a firewire drive to be used as backups if do not have enough money to get a tape drive. Run file monitor to check for any inconspicous file creation. Run a rootkit scanner. Use nessus to find if there any backdoors or flaws. Run a program that checks each file to have a certain permission. Always check for upgrades for services that provides people to access your system.
 
Old 06-14-2005, 09:42 AM   #4
trickykid
LQ Guru
 
Registered: Jan 2001
Posts: 24,149

Rep: Reputation: 270Reputation: 270Reputation: 270
Sorry, someone reported this post to be closed but also reported the other post to be closed, so both were closed. I reopened this one at this time.

Last edited by trickykid; 06-14-2005 at 09:43 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Recovering Files after Meltdown jevchance Linux - Newbie 2 08-18-2005 06:05 PM
recovering files krunal Linux - General 2 06-17-2005 06:38 AM
Help Recovering Files? ArenaKen Linux - Newbie 1 06-13-2005 09:28 PM
recovering files sigeberht Linux - Software 1 06-30-2004 09:43 AM
recovering files nocturnal Linux - General 3 04-19-2003 05:31 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 02:46 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration