LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-05-2006, 12:06 PM   #1
bobinglis
Member
 
Registered: Dec 2003
Location: MK
Distribution: \\slackware 10.1
Posts: 50

Rep: Reputation: 15
Lost all personal files


Hi,
Has anybody experienced this??
All my home folders are visible but they are empty, I have Ubuntu breezy and Suse each with separate copies, on separate disks, of the home folder both systems reporting the same problem. This seems to have occurred today. Is there a virus out there which can cause this??
 
Old 07-05-2006, 12:48 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Can you verify with non-GUI means, like running du or find or ls from a terminal, the files are "gone"?
 
Old 07-05-2006, 01:44 PM   #3
bobinglis
Member
 
Registered: Dec 2003
Location: MK
Distribution: \\slackware 10.1
Posts: 50

Original Poster
Rep: Reputation: 15
ls gives the same results.
 
Old 07-05-2006, 01:59 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Was the box rebooted between deletion and noticing it?
Did you notice anything strange or unusual happening?
Are there any logs (see /etc/syslog.conf for which ones) showing "weird" lines?
What services do you run?
Are they protected by a firewall?


And no, I haven't heard of an "in the wild" "virus" striking GNU/Linux.
 
Old 07-05-2006, 02:08 PM   #5
bobinglis
Member
 
Registered: Dec 2003
Location: MK
Distribution: \\slackware 10.1
Posts: 50

Original Poster
Rep: Reputation: 15
I have rebooted since noticing the loss, to boot into Suse from Ubuntu. the only service is nfs and the wifi router has a firewall, Suse firewall is running ubuntu I must say I have not checked if the firewall is running I assumed (stupid of me) that as a user friendly distro the the firewall would be installed automatically.
 
Old 07-05-2006, 02:50 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Please shutdown or remount the partition home is on as read-only. Should have told you that first thing, sorry.
 
Old 07-05-2006, 03:37 PM   #7
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Mint, MX, antiX, SystemRescue
Posts: 2,337

Rep: Reputation: 358Reputation: 358Reputation: 358Reputation: 358
Quote:
Originally Posted by unSpawn
Please shutdown or remount the partition home is on as read-only.
I was thinking along these same lines too.

Is /home a seperate mountpoint, and is just not mounted currently? Were this the case, you'd see /home, but it would probably be an empty directory. Running the "mount" command or checking /etc/mtab would show whether it is mounted or not (provided it's a seperate mountpoint in the first place).
 
Old 07-06-2006, 01:36 AM   #8
bobinglis
Member
 
Registered: Dec 2003
Location: MK
Distribution: \\slackware 10.1
Posts: 50

Original Poster
Rep: Reputation: 15
I've rebooted into recovery mode and umount'd the /home partition remounted with -r (ro), no files. All the folders are there but empty.
The partition used for /home is exactly the same story, very strange and only the /home directory on each system.
 
Old 07-06-2006, 05:44 AM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Recovery from ext3 filesystems is difficult

I've rebooted into recovery mode and umount'd the /home partition remounted with -r (ro), no files. All the folders are there but empty. The partition used for /home is exactly the same story, very strange and only the /home directory on each system.

Recovery from ext3 filesystems is difficult.
If you're lucky you may find parts of files.
For having a go at file recovery on ext3fs here's what you could do:
- the first thing you will need to do is fixate the partition the deleted files are on as soon as possible after noticing it. Pulling the plug immediately will keep the filesystems in a "dirty" state, but that should be preferred over any method that will change data like remounting readonly (or using Sysrq keycombo "ALT+SYSRQ+U"?). * There are applications that keep deleted files open while they're running. If you suspect that, then copying the /proc/PID/fd/n file descriptor to a file could save it. From this point on all filesystem access should be done booting a LiveCD with the partitions mounted read-only.
- Make a "dd" (sdd or dcfldd) backup of the partition to a file on another physical disk.
- Read Q: How can I recover (undelete) deleted files from my ext3 partition? so you don't get your hopes up too high. Search LQ for recovery experiences and practices.
- If the majority of your files is human readable text you can try to recover parts by grepping for strings (or a disk editor like LDE) in your dd backup file and copying blocks out.
- If the majority of your files is in binary formats (or (text) formats Foremost can handle) then first try Foremost.
- If you had no luck looking for strings or headers then you will have to make sure the data is valuable enough to try recovery this way. It will cost you more in time then you will get in results, it has a steep learning curve and there are no guarantees for recovery whatsoever. You will need to get acquainted with Forensic Discovery basics, then download Helix Live CD or any other Live CD (a list here) that contains The Sleuthkit (read the documents).
- If you had no luck with any of the above options then there's companies that offer professional recovery services. After initial assessment a "clean room" recovery starts at aprox. USD 1000.

As always YMMV(VM).

Good luck.

Last edited by unSpawn; 07-06-2006 at 05:46 AM.
 
Old 07-06-2006, 08:56 AM   #10
bobinglis
Member
 
Registered: Dec 2003
Location: MK
Distribution: \\slackware 10.1
Posts: 50

Original Poster
Rep: Reputation: 15
Thanks for all the info and help, so far no luck, I've tried various methods found in forums etc, and downloaded and used lde, it just gives no file system found and error 22.
I'll carry on sifting for a solution as it mystifies me and if it is a malignant it needs to be found.
 
Old 07-06-2006, 09:52 AM   #11
bobinglis
Member
 
Registered: Dec 2003
Location: MK
Distribution: \\slackware 10.1
Posts: 50

Original Poster
Rep: Reputation: 15
du shows some folders still have files, these are mainly downloads, and .files or hidden files.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Can I keep personal files from /home when installing another OS? tigerpatch Ubuntu 2 05-31-2006 10:45 AM
Preserving personal files between distros thomasfingram Linux - Newbie 1 08-13-2005 10:06 AM
I just want to save files! (SuSE 9.1 Personal) Slyder42 SUSE / openSUSE 2 11-28-2004 12:35 AM
WindowManager has lost personal session configuration. fredantrobus Linux - General 4 05-25-2004 08:24 AM
Startup Files to Configure for personal settings AMH Linux - Newbie 1 06-05-2001 06:42 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:10 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration