[ale] OOOhh! That smarts!

Dow Hurst dhurst at kennesaw.edu
Wed Jun 20 20:50:23 EDT 2001 

John,
Immediately do a "dd" of your disk to a backup drive or tape.  Real
World Linux Security has some notes about this.  You can recover a most
of your data from that file.  Bob Toxen might be able to help you with
this.  He recovered lost logs from when we were hacked after the machine
had run for quite awhile under the cracker's control.  We got some
pertinent info from what we recovered.  Unless you have formatted the
drive and actually written over the part of the disk where /var was,
there is a good chance you can recover that stuff.  Email Bob at
bob at cavu.com for some advice.  I know how you feel right now, believe
me.  I hope you can get what you need back.  Just don't jump the gun and
assume it is all gone.  Make that dd copy right now.  You can work with
that later.  If you need some help with the backup and have SCSI-2
interfaces then I could help you if you want to bring the machine here
to KSU.  Example dd command:

dd if=/dev/hda of=/dev/hdb

I am sure there is some blocking factor issues if you go to tape.
Dow


John Mills wrote:
> 
> ALErs -
> 
> Last night in the process of backing up my system to an old HDD, I blew away the '/var' directory from my RH6.2 installation. Lots of morals to be drawn from the mis-step, but meanwhile I'm faced with damage control.
> 
> Three things I know immediately I've lost are:
> 
> 1. unsaved mail in /var/spool
> 2. printer installation in /var/spool
> 3. log information in /var/log
> 4. 'rpm' history and overhead files
> 
> No point crying about what's gone, but I want as little rework as practical when I put the #$%@!! back together.
> 
> Thus I no longer have the information which 'rpm' expects in order to do an orderly repair. I can go back and do a re-installation from the CD, but I would appreciate any suggestions as to:
> 
> 1. Avoiding replacment of files which are still in place (and may represent upgrades or customizations) with 'stock' files from the rpms, and
> 
> 2. Achieving (so far as possible, given the lost 'rpm' files) an upgrade/repair type of installation, rather than a 'new' installation I would then have to rework.
> 
> 3. What I need to do in order that otherwise complete utilities like 'sendmail' can go back to work.
> 
> 4. Any good sources of prosthetic toes? &;^(
> [Is there a Free Toe Foundation?]
> 
> TIA - at least you can be happy it wasn't your system!
> 
> Regards,
>  John Mills
> --
> To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

-- 
__________________________________________________________
Dow Hurst                   Office: 770-499-3428
Systems Support Specialist  Fax:    770-423-6744
1000 Chastain Rd.
Chemistry Department SC428  Email:dhurst at kennesaw.edu
Kennesaw State University         Dow.Hurst at mindspring.com
Kennesaw, GA 30144
*********************************
*Computational Chemistry is fun!*
*********************************
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

More information about the Ale mailing list