restoring server from backup

[Aerethorn]

hello all, a client of the company i work for, had his server compromised (r00ted), the bakcup that was done only has the following

root@www1 [/old]# ls
./ ../ home/ home2/ httpd/ lost+found/ var/ root/.my.cnf
root@www1 [/old]# ls var
./ ../ cpanel/ lib/ log/ named/ spool/
root@www1 [/old]#
root@www1 [/old/var]# ls cpanel
./ addonwhmversions/ deleteddomains futex-test* mmpass proftpdconvert updatelogs/
../ adminsessions/ dnsrequests hordepass mysqlup quotawarned usecpphp
accounting.log bandwidth/ eximstatspass iclevels.conf neomail/ repquota.cache users/
accts.db buildapache.config.pl eximup ipchangeinprogress newaccts/ root.accts useup2date
activate/ bwlimited/ features/ jailshell2 noanonftp sessions/ version/
addoncpanelversions/ clevels.conf fileprotect lang.cache/ notifications/ smtpgidonlytweak whmtheme
addonmodules Counters/ fixedsqlstatment lastrun/ objcache/ suexecpatch zonetemplates/
addonmoduleversions/ cp76maillists fpconvert13 logs/ packages/ suspended/
addonscripts cpanel.config frontpagepassthrough4.2 mailman2 perl/ suspendinfo/
addonscriptsversions/ CPDNSLib.dat ftpup mailman2converted phpopendomains upcpcheck


is there any way to restore this data without risks of missing information?

the httpd configuration files and named zones are on the backups.

[AndyReed]

hello all, a client of the company i work for, had his server compromised (r00ted), the bakcup that was done only has the following

root@www1 [/old]# ls
./ ../ home/ home2/ httpd/ lost+found/ var/ root/.my.cnf

is there any way to restore this data without risks of missing information?

Are you sure these files are not blank? Does he have *.tar.gz or incremental backup for his sites and DBs? Or all of that is gone?

[chirpy]

Without the files from /etc you might be in for a bit of a struggle. Obviously the /home data is fine for the user files. The important files in /var/cpanel are users/ features/ packages/ if you restore those plus the home files, plus /var/lib/mysql/ and /var/named and the httpd.conf files.

The next major hurdle will be recreating /etc/passwd which can be done using:

/scripts/rebuildetcpasswd

However, you have to be very careful with that script and be sure to backup /etc/passwd /etc/shadow /etc/gshadow and etc/group before playing with it.

After that's been run all none of the cPanel accounts will have passwords set. Next step would be to try running through the following:

/scripts/rebuildnamedconf
/scripts/updateuserdomains
/scripts/fullhordereset
/scripts/fixeverything
/scripts/upcp --force

Hopefully that will recreate most of what you need, but there are likely to be big holes and you'll have to set each and every cPanel account password.

Ultimately, it might be simpler to recreate each account through WHM individually and then restore the /home data for the account and then correct the files ownerships.