Portal Home > Knowledgebase > Articles Database > Client Server Hacked
Client Server Hacked
| Posted by ShineServers, 10-13-2016, 01:13 AM |
|
Hello,
Today i really need some suggestions, our one of customers /home has been wiped up yesterday night using rm command. Some IP logged into his broken script and this mishap happened. Now as all other big clients nature, he also doesn't have any data and as a hosting provider we don't keep backups for dedicated as well.
Now, either he need the data else he'll be broke in next few days and he already is so depressed at the moment that he might commit something that is not right so that's the reason i'm helping him with his data.
Now, i need to know if there are ways to recover deleted/reinstall/wiped harddisks? We can recover Mysql as that's intact main is /home with loads of data around 20 GB+
Specs he had:
Hexa Core
480 GB SSD (OS & DATA)
2 TB SATAIII (Backups) (We disconnected it from server once we got to know that /home is deleted)
cPanel, Centos 6 64bit
KVM is available
You might be noticed backups there, it's the first drive which got wiped then he removed the /home after notification from website monitor we turned the server down and booted in rescue.
As of now conditions are:
1. Server is in rescue mode. (Centos 6 64Bit)
2. We have not yet reinstalled it as we thought it might break any data if there is possibility to recover it.
3. How about using Mondo? Did this thing work in rescue mode?
4. How can we recover his deleted data?
5. Is there anyone who can do it for us? (Paid ofcorse)
Open for suggestions, thanks
|
| Posted by Truman, 10-13-2016, 02:38 AM |
|
What backups does the 2 TB SATAIII hold? Is it the cPanel backups for the accounts?
|
| Posted by net, 10-13-2016, 03:23 AM |
|
Commit something because of the data lost? Why he didn't put some remote backup in the first place if it is really that important?
I don't get it.
Best to tell him to bring the drive to an expert for recovery.....but do not put hope for that.
|
| Posted by CretaForce, 10-13-2016, 07:30 AM |
|
In rescue mode mount the 2TB to see if there are any backups there.
|
| Posted by IGobyTerry, 10-13-2016, 07:49 AM |
|
I would put in a new hard drive and then look into data recovery. Whatever you do, I would not play around with the existing hard drive trying to recover the data unless you're an expert.
|
| Posted by ServerManagement, 10-13-2016, 08:10 AM |
|
If there's any chance at recovering the deleted data, you need to get it to a professional disaster recovery facility. The most important advice I can give you is, don't play with it, do not try "quick fixes" that you find by searching online, and do not look for the cheapest place to do it. If it is possible to recover anything, it will only be able to be done by someone experienced with this, and it will cost quite a bit.
|
| Posted by ShineServers, 10-13-2016, 11:41 AM |
|
I thought for the same but issue is that hackers deleted mostly all files just leaving few so server is unreachable with normal SSH. And our provider is hardly showing any interest in helping us with this. It's over 24hrs and they have not been able to fix the KVM for us so that we can get into. I used to praise this provider much but things seems to getting dirty now as they are not at all willing to help with this issue at all in the first place. I'm not evening asking their help but we atleast need to access server either via Rescue or KVM and unfortunately they don't have anything in place at the moment.
|
| Posted by lunahost, 10-13-2016, 11:52 AM |
|
Wouldn't a DR company need access to the disks, physically? If your host is not willing to help you're probably going to struggle moving forward.
|
| Posted by ShineServers, 10-13-2016, 02:52 PM |
|
Update: We finally able to get into KVM, one of my engineer friend is looking after the issue. He probably be going to use Test Disk Recovery on SSD Disk but he said don't expect much from this.
|
| Posted by whmcsguru, 10-13-2016, 04:21 PM |
|
This is why you have backups... Continual backups
Data recovery companies need access to the disk. Get it to them immediately.
Don't toy around with "friends", they're going to screw crap up more.
|
| Posted by SenseiSteve, 10-13-2016, 07:59 PM |
|
I'd follow his advice. This is serious stuff. You need to let a professional data recovery firm handle this for you.
|
| Posted by FastServ, 10-13-2016, 11:44 PM |
|
Even remounting the disks greatly reduces any chances of recovery. Best to power down and pull the drives ASAP and send them off to a recovery firm.
|
| Posted by ShineServers, 10-14-2016, 12:39 AM |
|
That engineer friend is placed in IBM for Raid and Data Management.
PS: Client decided to leave as he blames our company for his "hacked" server. So be it!
I never do understand, if their data is so important to them then why not just take a while and place a copy of backup in his PC?
Thanks everyone for your comments/suggestions!
|
| Posted by Afterburst-Jack, 10-14-2016, 02:12 PM |
|
Sorry to hear you lost the customer.
Just in case anyone stumbles across this thread looking for information in the future -- rm is typically recoverable, but the data may be overwritten at any time if the drives are mounted (particularly if they are in use/OS is booted) as FastServ mentioned above.
I.E. power down ASAP and either get the drive to a data recovery company, or risk trying yourself (perhaps using debugfs).
|
| Posted by lunahost, 10-14-2016, 02:36 PM |
|
I've been with several dedi providers and non of them provide backups. It can either be purchased as an add-on or I could organise it myself.
It's not the OPs fault if the customer didn't do this.
|
| Posted by whmcsguru, 10-14-2016, 04:01 PM |
|
I didn't say it was, now did I?
|
| Posted by lunahost, 10-14-2016, 04:04 PM |
|
No I wasn't implying you did.
|
Add to Favourites 
Print this Article
Also Read
help (Views: 795)