[ale] OOOhh! That smarts!

John Mills john.m.mills at alum.mit.edu
Thu Jun 21 08:48:54 EDT 2001 

Dow -

Thanks _very_ much for the comments.

On Wed, 20 June 2001, Dow Hurst wrote:

> Immediately do a "dd" of your disk to a backup drive or tape.  Real
> World Linux Security has some notes about this.  You can recover a most
> of your data from that file.

I have the book and will look for that.

>  Bob Toxen might be able to help you with
> this.  He recovered lost logs from when we were hacked after the machine
> had run for quite awhile under the cracker's control.  We got some
> pertinent info from what we recovered.  Unless you have formatted the
> drive and actually written over the part of the disk where /var was,
> there is a good chance you can recover that stuff.

The drive I 'hit' is larger than any backup I have (13.x GBy), so I'll have to lay hands on another backup medium. I do have basic SCSI installed (not SCSI-2, I believe) to handle my scanners. Maybe I can find a tape drive 'round here (ViaSat, my employer), and dump to it.

I went on to successfully back up three out of four partitions, and decided to shut down the Linux box: I have been having problems with the new disk, which I believe are heat-related. I was making the backup in prep for a destructive diagnostic of the larger, new drive. I _hope_ the system will boot successfully, but I was pretty sure if I left it on, it would fall into a cycle of track-seek failures [as it has been doing], and likely chew itself up, so shutting down seemed the lower risk.

>  I know how you feel right now, believe
> me.  I hope you can get what you need back.  Just don't jump the gun and
> assume it is all gone.  Make that dd copy right now.  You can work with
> that later.  If you need some help with the backup and have SCSI-2
> interfaces then I could help you if you want to bring the machine here
> to KSU.

I have been very cautious, other than not knowing if I'll be able to boot the system again. I am also considering: (1) completing my backup [naturally], (2) reinstalling from CD, and then (3) over-writing the installation from my backup. I'll bet that will capture 95% of my changes. Outright recovery would be _far_ better, in terms of lost spools.

>  Example dd command:
> 
> dd if=/dev/hda of=/dev/hdb
> 
> I am sure there is some blocking factor issues if you go to tape.

I can probably sort that out - there are a couple of 'low common-denominator' defaults you can force, IIRC.

Thanks again - I'll file a battle report.

Regards,
 John Mills
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

More information about the Ale mailing list