Hi all, previously i posted a thread about how to know if the server got hacked, that is because our server was hacked twice in the past 30 days, i think he is the same guy. What happened was he created a guest account and deleted some files. So what i would like to do now is to backup linux machine into an other harddrive(secondary) in the linux box. I wanted to do it in such a way that all the data including root, bootloader(what ever, i guess everything) are backed up to the secondary disk and if the server is hacked, just copy/restore everything into the primary harddisk from the secondary and the system should bootup normally. I dont know if we can do this or not, can you give me some tips regarding this(wheter to write a script and how to write the script).

If you are not clear with my question, can you please reply me and i can put it in an other way. I really need to do this because there are several hack attempts being made from every week.(i know this because i installed logwatch).

Could you please help me out .....
Thanks for your previous replies...

IMHO, it would be pointless to restore a backup of the system that's getting owned - as it will simply get owned again, cuz you'd be restoring the system and the security hole also.... what you need to do is find the hole the attacker is using and then close it...

I have to agree but once you have a secure install, if you want to back it up have a look at partimage its pretty cool and will same exact images of hole partitions.

I find that DAR gives me what I need. Dar allows me to restore one file, one directory, or the entire directory tree. I can backup directories (but not the files within) if I don't care about the files but want to keep the directories. I get approximately 50% compression in my backups. I can specify which files to exclude, which to enclude, which to not try to compress because they're already compressed. The list goes on.
But, as win32sux said, if you don't close the door the hacker is using, you will only keep opening that door for him when you restore a backup.
Get the system to a secure state, then make a backup.

rockwell_001: also keep in mind that you should never put this type of backup on a secondary disk on the system... that would work fine for a anti-data-loss type of backup (the usual kind of backup), but for a rescue backup you are much better-off using something like partimage, as suggested by jimdaworm above... this way you can put the backup on a different server, or on a cd/dvd with no problems...

if an attacker owns your system, there's nothing preventing them from doing all kinds of modifications to your "backup" on the secondary disk... which brings us back to square one: you need to fix the security hole... once you have fixed that hole and have checked everything else (and then done a fresh install using the new information) then make a bare metal rescue backup (using partimage, for example) of the system in that state BEFORE IT'S EXPOSED ONTO THE NETWORK... this way if you get owned again you can unplug the network, do the bare metal rescue, and fix whatever went wrong before putting the machine on the network once again...

in other words, the rescue disk is just buying you time, by letting you start-off from a pre-installed/configured system, but you'll still have to fix the security hole before going back online...

if you find yourself actually using this kinda backup on a regular basis, then you need to take a serious look at your general security strategy, because something is terribly wrong... maybe you are using a distro that isn't providing any more security updates... maybe you have misconfigured one of your daemons... maybe you've had a rootkit installed all this time... it could be any number of things...

but one thing is for sure: relying on bare metal rescues for security is a VERY BAD idea...

thanks for ur replies guys, i will not work on it and let you know........

sorry guys i meant to say i will work on it and let u know .......

Install or configure some kind of intrusion detection also on your network/systems, something like tripwire. But yes, just simply restoring the system is not solving the problem in whole. Stop the person from attacking/cracking your system is the first step you should take and then your next step is to prevent it from happening again. Then worry about restoring your system if it ever happens again, but hopefully the first two steps get rid of that problem altogether.