need to backup accounts on compromised server

[mnstrgns]

So the server was compromised and has a rootkit on it.
Almost all services are shut down, except SSH so I can go in and backup all of the accounts, db's and Cpanel settings.

Here is the problem - cpbackup is not working.

It runs, I get
tar: Removing leading `/' from member names
several times, and then it is done.
In the backup/cpbackup/daily directory are 2 other folders. files and dirs. And thats it.
(I updated to the latest CURRENT and the line in cpbackup is correct as has been noted it should be in another thread.)

Also noted in another thread is the fact that the that tar line happens and it doesnt matter.

In any event, I now have a 12 hour window to get the backup working so I can backup all accounts to a seperate drive on the box, and reinstall the OS.

Anyone have any thoughts or suggestions?

cpbackup.conf contents

BACKUPACCTS yes
BACKUPDAYS 0,1,2,3,4,5,6
BACKUPDIR /backup
BACKUPENABLE yes
BACKUPFILES yes
BACKUPFTPDIR
BACKUPFTPHOST
BACKUPFTPPASS
BACKUPFTPPASSIVE no
BACKUPFTPUSER
BACKUPINC no
BACKUPINT daily
BACKUPLOGS no
BACKUPMOUNT no
BACKUPRETDAILY 1
BACKUPRETMONTHLY 1
BACKUPRETWEEKLY 1
BACKUPTYPE normal
DIEIFNOTMOUNTED no
MYSQLBACKUP accounts
BACKUPCHECK yes
BACKUP2 yes

I am at near the end of my rope.
I have searched the forums and the web with little concrete information on what to do.
I would prefer to use cpbackup to make restoring all accounts and settings after the OS install much more pleasant.

Any and all input appreciated.

JS

[lloyd_tennison]

tar: Removing leading `/' from member names

is normal. Do you get any message that the backup is up-to-date? No other messages? Did you try setting it to incremental and see if that works? There has been some other threads on the fact that the cpbackup script has an error in it - but for me that error backed up all except the dirs and files.

[mnstrgns]

I get
tar: Removing leading `/' from member names
several times, and then nothing - just the shell prompt

When I check the backup/cpbackup/daily directory, I see
drwx--x--x 4 root 0 4096 Dec 12 21:23 ./
drwx--x--x 5 root 0 4096 Dec 12 21:23 ../
drwx------ 2 root 0 4096 Dec 12 21:23 dirs/
drwx------ 2 root 0 4096 Dec 12 21:23 files/

I am assuming I should see a .tar.gz file for each account in there.

I tried setting incremental, to no avail.

I saw the error threads, and updated the CPanel build to the current release which from what I read would fix the problem.

[lloyd_tennison]

copy cpbackup to say, forcebackup. Set Cpanel to incermental unless you have either updates cpbackup in Edge or fixed it as mentioned in other forums. Change:

if (isolderthen(.5,"${basedir}/daily")) {

to:

if (isolderthen(.00005,"${basedir}/daily")) {

What that does it let you backup if the backup is less than .0005 days old. Any number like that will do..

[mnstrgns]

Same result

No .tar.gz files

Just the /files and /dirs folders

[lloyd_tennison]

How is drive space?

df -h

Maybe not enough to create backups?

[mnstrgns]

/dev/hdc1 74G 261M 70G 1% /backup

Space not an issue...

[lloyd_tennison]

No, not the backup drive. Cpbackup places the backup files first on the /home partition. Plus it then needs temp room to create the tar file, etc. That's why I asked for all the partitions.

[mnstrgns]

Filesystem Size Used Avail Use% Mounted on
/dev/hda3 36G 19G 15G 55% /
/dev/hda1 99M 31M 64M 33% /boot
none 247M 0 247M 0% /dev/shm
/dev/hdc1 74G 261M 70G 1% /backup
/usr/tmpDSK 243M 6.0M 224M 3% /tmp
/tmp 243M 6.0M 224M 3% /var/tmp