Portal Home > Knowledgebase > Articles Database > Hacked - can mysql and videos be saved from this?


Hacked - can mysql and videos be saved from this?




Posted by gemasis, 10-13-2007, 07:33 PM
Hello My server was hacked, they destroyed some of it, but alot was intact. My provider swiftly changed the original HD, put in a new one and have attached the old one to allow data transfer. I cannot see the Mysql section and about 900 videos from a certain folder are missing. Is there ANY way I can recover anything in this situation? regards

Posted by tanfwc, 10-13-2007, 08:10 PM
all your old data is in the old drive. You need to mount it as slave then transfer the data to your original HDD.

Posted by Jakiao, 10-13-2007, 08:23 PM
To mount it, as tanfwc says, you'll need to mount the partitions on the disk. Simple way to check is do "cat /proc/partitions" and check what partitions exist on the device (probably /dev/sdb). Then mount each one-by-one and determine if that's the partition with that data you're missing. Say the MySQL data was in /var/lib/mysql which was on partition / aka sd3: mkdir /disk2 mount /dev/sd3 /disk2 You can then grab the MySQL data from /disk2/var/lib/mysql. Repeat this process for getting the other data you need.

Posted by gemasis, 10-13-2007, 08:31 PM
Hello The hard drive is mounted, and I have taken data. lib/mysql is not there, hence the reason for my post. Also, some of the videos are showing, but not all regards

Posted by Lem0nHead, 10-13-2007, 08:40 PM
the attacker may have deleted them? there're some programs to recover HD, but I'd suggest you seek for professional help in case this data is important, because you can make things worse if you use the wrong tool... or the right tool in the wrong way

Posted by gemasis, 10-13-2007, 09:08 PM
Invaluable information... Thank you

Posted by amex, 10-13-2007, 10:11 PM
You didin't take any backups of your data?

Posted by gemasis, 10-14-2007, 09:45 AM
Right I was having AVG on my machine, i installed spyware doctor and found my machine had rootkit.agent.ey or something like that, so i assume that was the issue. I have since removed it. My provider mounted the old one onto the new hard drive and system. the thing is all the videos are actually on it, but they will not copy to the new drive.. Does anyone know why and how i can get around this?

Posted by tanfwc, 10-14-2007, 09:47 AM
How do you see the drive now?

Posted by gemasis, 10-14-2007, 09:56 AM
Ok 2 things... 1 - the registry entry for the rootkit.agent.ey is left and spyware doctor cannot remove it 2 - I see the drive when i log into an ftp as root. i can download them to my pc then re-upload, but the folders i need are 20gb+, so i can see them, tell the ftp program to copy to the new drive it fails to move them. It says failed for unknown reason.

Posted by tanfwc, 10-14-2007, 10:07 AM
You might want to SSH in and do a copy instead

Posted by gemasis, 10-14-2007, 10:11 AM
Also, the rootkit and its trojan almost all disappear, but when i reboot and rescan they are there again and i have to clean everytime i boot. Any suggestions Oh, and I went into it also via SSH using putty and there was still copying issues. please, what would the syntax be just to make sure I have it right?

Posted by tanfwc, 10-14-2007, 10:27 AM
Maybe you like to tell me about "still copying issues". How do you know?

Posted by Sikheadtom, 10-14-2007, 11:06 AM
Copy: [PHP]cp /olddir/old.file /newdir/new.file[PHP] Move(Cut): [PHP]mv /olddir/old.file /newdir/new.file[PHP]

Posted by gemasis, 10-14-2007, 07:04 PM
muc thanx, i have rescued most of the files... All that left now is the rootkit permanent removal regards



Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
IP Security Policies (Views: 265)