The other day, one of our servers was hacked. We immediately had a fresh OS installed, slaved the old OS and rebuilt the machine. We also had a secondary drive which contained all of our CPanel backups, but since there was only two slots for drives, the backup drive had to be removed to install the old OS drive.
Once the new OS was installed, the data from the old OS was copied and we had a workable machine, we had the old OS drive removed and the backup drive put back in.
Here is were the problem starts. When we went to do a restore from the backup drive, it was empty, nothing at all on the drive. The backups have been running nightly up until the hack occurred.
We thought that one of the following may have caused it:
But here's where it gets confusing...The drive shows no data when we do a directory listing (ls -la), but when we do a DF -h command it shows that 85mb have been used on the drive and that was the same usage prior to the hacks according to our logwatch reports.
So based on the fact that the system is showing data usage on the drive, it appears that the correct drive was put in. There is only one partition on the drive. So what happened to the data?
I am looking to see if there are any answers to this issue and to these questions:
Any thoughts or insights that would help clarify this situation would be appreciated.
Regards
George
Once the new OS was installed, the data from the old OS was copied and we had a workable machine, we had the old OS drive removed and the backup drive put back in.
Here is were the problem starts. When we went to do a restore from the backup drive, it was empty, nothing at all on the drive. The backups have been running nightly up until the hack occurred.
We thought that one of the following may have caused it:
When the machine was brought backup after putting in the backup drive, the backup drive was mounted as an ext3 drive, but was formatted and used with the old OS as an ext2 filesystem.
It is possible that the hacker deleted all of the backups, but he didn't delete anything from the old OS drive, so it is questionable whether this was the cause
The data center whipped the drive, but would not admit doing so or put in a new drive that was empty.
But here's where it gets confusing...The drive shows no data when we do a directory listing (ls -la), but when we do a DF -h command it shows that 85mb have been used on the drive and that was the same usage prior to the hacks according to our logwatch reports.
So based on the fact that the system is showing data usage on the drive, it appears that the correct drive was put in. There is only one partition on the drive. So what happened to the data?
I am looking to see if there are any answers to this issue and to these questions:
- Could the partition have been corrupt by mounting as an ext3 instead of ext2 when it was previously formatted as an ext2?
- Could the hacker have made the cpbackup folder hidden from view of the root account, and if so how can it be unhidden?
- Why would the system show disk usage when nothing is appearing on the drive
Any thoughts or insights that would help clarify this situation would be appreciated.
Regards
George
