Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi,
Has anybody experienced this??
All my home folders are visible but they are empty, I have Ubuntu breezy and Suse each with separate copies, on separate disks, of the home folder both systems reporting the same problem. This seems to have occurred today. Is there a virus out there which can cause this??
Was the box rebooted between deletion and noticing it?
Did you notice anything strange or unusual happening?
Are there any logs (see /etc/syslog.conf for which ones) showing "weird" lines?
What services do you run?
Are they protected by a firewall?
And no, I haven't heard of an "in the wild" "virus" striking GNU/Linux.
I have rebooted since noticing the loss, to boot into Suse from Ubuntu. the only service is nfs and the wifi router has a firewall, Suse firewall is running ubuntu I must say I have not checked if the firewall is running I assumed (stupid of me) that as a user friendly distro the the firewall would be installed automatically.
Please shutdown or remount the partition home is on as read-only.
I was thinking along these same lines too.
Is /home a seperate mountpoint, and is just not mounted currently? Were this the case, you'd see /home, but it would probably be an empty directory. Running the "mount" command or checking /etc/mtab would show whether it is mounted or not (provided it's a seperate mountpoint in the first place).
I've rebooted into recovery mode and umount'd the /home partition remounted with -r (ro), no files. All the folders are there but empty.
The partition used for /home is exactly the same story, very strange and only the /home directory on each system.
I've rebooted into recovery mode and umount'd the /home partition remounted with -r (ro), no files. All the folders are there but empty. The partition used for /home is exactly the same story, very strange and only the /home directory on each system.
Recovery from ext3 filesystems is difficult.
If you're lucky you may find parts of files.
For having a go at file recovery on ext3fs here's what you could do:
- the first thing you will need to do is fixate the partition the deleted files are on as soon as possible after noticing it. Pulling the plug immediately will keep the filesystems in a "dirty" state, but that should be preferred over any method that will change data like remounting readonly (or using Sysrq keycombo "ALT+SYSRQ+U"?). * There are applications that keep deleted files open while they're running. If you suspect that, then copying the /proc/PID/fd/n file descriptor to a file could save it. From this point on all filesystem access should be done booting a LiveCD with the partitions mounted read-only.
- Make a "dd" (sdd or dcfldd) backup of the partition to a file on another physical disk.
- Read Q: How can I recover (undelete) deleted files from my ext3 partition? so you don't get your hopes up too high. Search LQ for recovery experiences and practices.
- If the majority of your files is human readable text you can try to recover parts by grepping for strings (or a disk editor like LDE) in your dd backup file and copying blocks out.
- If the majority of your files is in binary formats (or (text) formats Foremost can handle) then first try Foremost.
- If you had no luck looking for strings or headers then you will have to make sure the data is valuable enough to try recovery this way. It will cost you more in time then you will get in results, it has a steep learning curve and there are no guarantees for recovery whatsoever. You will need to get acquainted with Forensic Discovery basics, then download Helix Live CD or any other Live CD (a list here) that contains The Sleuthkit (read the documents).
- If you had no luck with any of the above options then there's companies that offer professional recovery services. After initial assessment a "clean room" recovery starts at aprox. USD 1000.
Thanks for all the info and help, so far no luck, I've tried various methods found in forums etc, and downloaded and used lde, it just gives no file system found and error 22.
I'll carry on sifting for a solution as it mystifies me and if it is a malignant it needs to be found.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.