Recovering data from hacked server

If it doesn't fit in another category, ask it here.
Post Reply
Posts: 1
Joined: 2007/11/06 12:25:57

Recovering data from hacked server

Post by chow » 2007/11/06 12:38:15

Two servers are compromised after a brute force attack.. What they did on the servers is not clear but when you reboot such a hacked server the network doesn't come up saying eth0 in promiscuous mode and the filesystem cannot be read anymore. No login is possible.. We now have one server up with 722 GB of data we want to get off..

/dev/sdc2 / ext3 rw 0 0 none /proc proc rw 0 0 none /sys sysfs rw 0 0 none /dev/pts devpts rw,gid=5,mode=620 0 0 /dev/sdc1 /boot ext3 rw 0 0 /dev/md0 /data ext3 rw 0 0 none /dev/shm tmpfs rw 0 0 none /proc/sys/fs/binfmt_misc binfmt_misc rw 0 0 sunrpc /var/lib/nfs/rpc_pipefs rpc_pipefs rw 0 0 nfsd /proc/fs/nfsd nfsd rw 0 0

The data is in /data. We can still acces the server over the Gigabit network but copying the data takes too long. The disk io is our main bottleneck. How would you proceed in getting the data copied to another server as fast as possible??


Posts: 2598
Joined: 2007/01/07 02:18:02
Location: Central IL USA

Recovering data from hacked server

Post by pjwelsh » 2007/11/06 15:49:53

Do you have physical access to this box? If so, then boot the install CD/DVD in "rescue" mode and try to recover the info. Depending on what has happened, you may want to investigate/document/catalog how what etc. Otherwise, you could just re-install and *NOT* mess with (eg format) the /data (/dev/md0) until after you install! You may end up hacked again anyway, however.

Post Reply

Return to “CentOS 4 - Miscellaneous Questions”