Re: [CentOS] data recovery
Lamar, Thanks for the info. Paras. On Tue, Sep 27, 2011 at 10:44 AM, Lamar Owen wrote: > On Monday, September 26, 2011 11:18:06 AM Paras pradhan wrote: >> On Mon, Sep 26, 2011 at 5:53 AM, Lamar Owen wrote: >> > May I ask what sort of SAN? >> Its a Hitachi OpenV fibre channel SAN (4Gbps HBA). My storage admin >> checked if this LUN can be accessible by others and he found no other >> hosts have access to it. > > Ok. > >> > I've seen some odd LUN reshuffling before, > ... >> reshuffling here means automatically changing disk's geometry as I am >> having an issue? It would be interesting to know if this can happen. > > No, reshuffling as in a host gained access to LUNs in a 'phantom' manner that > it should not have had access to. No longer a problem, and hasn't been for a > great while. It was an odd interaction, but I forget the details. > > If another host were put onto the FC with the exact same WWN onto the fabric > it might be possible to see this sort of thing, too, but the WWN's are all > supposed to be unique. > >> Here are some new additional info : > ... >> So my question is: if the LUN has been re partitioned for ex: say to >> install windows , why am i seeing our data in these newly created >> partitions? Is it possible to see data in a reapportioned drive? > > Yes, it is. If the recovery tool can look at the raw device it can grab > stuff that isn't in any partition, and you can look at that data. Standard > forensics. Repartitioning erases nothing except the partition table. > > Now, in the specific case of GPT, it is further possible to have a GPT and an > MBR at the same time, and while the 'shadow' MBR is supposed to match the > GPT's partitioning it doesn't have to. > > If you read through the LVM2 documentation and source code you may be able to > find the signature used to mark a partition as being LVM; once you do that > you should be able to find the start of the partition, and re-write the > partition table(s). I use the plural there since with GPT you can have the > GPT and the MBR coexisting; ideally you'd want to wipe the GPT out, but in > reality you may not want to. > > But, being that you really don't want to write anything to this volume, you > really should set up an offset, read-only, loop device; that is, find the > starting sector of the partition (preferably an image of the LUN, and not the > actual LUN; can the Hitachi array do LUN replication (EMC's SANcopy or > Snapview or MirrorView being the rough equivalents)?). Then, once you find > the starting position of the LVM physical volume: > > START_OFFSET_BYTE='actual starting sector number * sector size, zero origin' > DEVLUN='LUN device, probably /dev/sde in your case' > losetup -o $START_OFFSET_BYTE --read-only /dev/loop0 $DEVLUN > > Then see if you can get LVM to see this physical volume (by default loop > devices are included in the scan, but you may want to verify they're not > filtered in /etc/lvm/lvm.conf): > pvscan > vgscan > lvscan > > You may be able to mount (-o ro of course) the LV at that point (I'm going > through the LVM business because you mentioned VG names in your post). > > Hope that helps. > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] data recovery
On Monday, September 26, 2011 11:18:06 AM Paras pradhan wrote: > On Mon, Sep 26, 2011 at 5:53 AM, Lamar Owen wrote: > > May I ask what sort of SAN? > Its a Hitachi OpenV fibre channel SAN (4Gbps HBA). My storage admin > checked if this LUN can be accessible by others and he found no other > hosts have access to it. Ok. > > I've seen some odd LUN reshuffling before, ... > reshuffling here means automatically changing disk's geometry as I am > having an issue? It would be interesting to know if this can happen. No, reshuffling as in a host gained access to LUNs in a 'phantom' manner that it should not have had access to. No longer a problem, and hasn't been for a great while. It was an odd interaction, but I forget the details. If another host were put onto the FC with the exact same WWN onto the fabric it might be possible to see this sort of thing, too, but the WWN's are all supposed to be unique. > Here are some new additional info : ... > So my question is: if the LUN has been re partitioned for ex: say to > install windows , why am i seeing our data in these newly created > partitions? Is it possible to see data in a reapportioned drive? Yes, it is. If the recovery tool can look at the raw device it can grab stuff that isn't in any partition, and you can look at that data. Standard forensics. Repartitioning erases nothing except the partition table. Now, in the specific case of GPT, it is further possible to have a GPT and an MBR at the same time, and while the 'shadow' MBR is supposed to match the GPT's partitioning it doesn't have to. If you read through the LVM2 documentation and source code you may be able to find the signature used to mark a partition as being LVM; once you do that you should be able to find the start of the partition, and re-write the partition table(s). I use the plural there since with GPT you can have the GPT and the MBR coexisting; ideally you'd want to wipe the GPT out, but in reality you may not want to. But, being that you really don't want to write anything to this volume, you really should set up an offset, read-only, loop device; that is, find the starting sector of the partition (preferably an image of the LUN, and not the actual LUN; can the Hitachi array do LUN replication (EMC's SANcopy or Snapview or MirrorView being the rough equivalents)?). Then, once you find the starting position of the LVM physical volume: START_OFFSET_BYTE='actual starting sector number * sector size, zero origin' DEVLUN='LUN device, probably /dev/sde in your case' losetup -o $START_OFFSET_BYTE --read-only /dev/loop0 $DEVLUN Then see if you can get LVM to see this physical volume (by default loop devices are included in the scan, but you may want to verify they're not filtered in /etc/lvm/lvm.conf): pvscan vgscan lvscan You may be able to mount (-o ro of course) the LV at that point (I'm going through the LVM business because you mentioned VG names in your post). Hope that helps. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] data recovery
On Monday, September 26, 2011 06:41:16 PM Ross Walker wrote: > Might it be possible you ran KVM on the host and accidentally set the guest > disk to /dev/sda? /dev/sde is the OP's LUN device. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] data recovery
On Sep 26, 2011, at 11:18 AM, Paras pradhan wrote: > Hi Lamar, > > On Mon, Sep 26, 2011 at 5:53 AM, Lamar Owen wrote: >> On Friday, September 23, 2011 04:29:39 PM Paras pradhan wrote: >>> This is a SAN drive mounted. I have checked with my storage >>> administrator if this has been re mapped or any similar events and he >>> verified that nothing has happened...(I trust him) >> >> May I ask what sort of SAN? Fibre Channel or iSCSI? Are there any access >> controls (such as EMC's Access Logix or zoning in the switch) in place to >> prevent multiple initiators connecting to a particular LUN? > > Its a Hitachi OpenV fibre channel SAN (4Gbps HBA). My storage admin > checked if this LUN can be accessible by others and he found no other > hosts have access to it. > >> >> SAN attachment mildly complicates things; I've seen some odd LUN reshuffling >> before, but it was an older FLARE than what I'm currently running on our >> Clariions and it was something that was a corner case but was fixed in a >> later NDU, and it had to do with Access Logix (I don't remember the Primus >> number right off, as it has been several years now). > > reshuffling here means automatically changing disk's geometry as I am > having an issue? It would be interesting to know if this can happen. > >> >> If the SAN OS keeps event logs you could try to correlate with the event; >> beyond that you may just have to do some testing. >> >> As you say, someone somewhere had to do a repartition; the hard part is >> determining where the error is. Good luck. > > > Here are some new additional info : > > My colleague mounted this LUN to a different host and we found the > same partitions over there too which is normal. > > I dd a 1st device to a file and opened the image file with bvi and > found some hosts name, VG name etc etc. in there. Then he ran a > recovery tool (R studio) in all three devices and was able to recover > most of this data. > So my question is: if the LUN has been re partitioned for ex: say to > install windows , why am i seeing our data in these newly created > partitions? Is it possible to see data in a reapportioned drive? Might it be possible you ran KVM on the host and accidentally set the guest disk to /dev/sda? -Ross ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] data recovery
Paras pradhan wrote: > Here are some new additional info : > > My colleague mounted this LUN to a different host and we found the > same partitions over there too which is normal. > > I dd a 1st device to a file and opened the image file with bvi and > found some hosts name, VG name etc etc. in there. Then he ran a > recovery tool (R studio) in all three devices and was able to recover > most of this data. > So my question is: if the LUN has been re partitioned for ex: say to > install windows , why am i seeing our data in these newly created > partitions? Is it possible to see data in a reapportioned drive? Partitioning doesn't overwrite the disk. I'm not familiar with R studio, so I don't know if you're saying that whole directories reappeared, or whether it found and relinked the files, and added them to the directory structure. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] data recovery
Hi Lamar, On Mon, Sep 26, 2011 at 5:53 AM, Lamar Owen wrote: > On Friday, September 23, 2011 04:29:39 PM Paras pradhan wrote: >> This is a SAN drive mounted. I have checked with my storage >> administrator if this has been re mapped or any similar events and he >> verified that nothing has happened...(I trust him) > > May I ask what sort of SAN? Fibre Channel or iSCSI? Are there any access > controls (such as EMC's Access Logix or zoning in the switch) in place to > prevent multiple initiators connecting to a particular LUN? Its a Hitachi OpenV fibre channel SAN (4Gbps HBA). My storage admin checked if this LUN can be accessible by others and he found no other hosts have access to it. > > SAN attachment mildly complicates things; I've seen some odd LUN reshuffling > before, but it was an older FLARE than what I'm currently running on our > Clariions and it was something that was a corner case but was fixed in a > later NDU, and it had to do with Access Logix (I don't remember the Primus > number right off, as it has been several years now). reshuffling here means automatically changing disk's geometry as I am having an issue? It would be interesting to know if this can happen. > > If the SAN OS keeps event logs you could try to correlate with the event; > beyond that you may just have to do some testing. > > As you say, someone somewhere had to do a repartition; the hard part is > determining where the error is. Good luck. Here are some new additional info : My colleague mounted this LUN to a different host and we found the same partitions over there too which is normal. I dd a 1st device to a file and opened the image file with bvi and found some hosts name, VG name etc etc. in there. Then he ran a recovery tool (R studio) in all three devices and was able to recover most of this data. So my question is: if the LUN has been re partitioned for ex: say to install windows , why am i seeing our data in these newly created partitions? Is it possible to see data in a reapportioned drive? Thanks Paras. > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] data recovery
From: Paras pradhan > On Fri, Sep 23, 2011 at 3:17 PM, John R Pierce > wrote: >> On 09/23/11 12:33 PM, m.r...@5-cent.us wrote: >>> Paras pradhan wrote: > Number Start End Size File system Name > Flags > 1 17.4kB 134MB 134MB Microsoft > reserved > partition msftres > 2 135MB 134GB 134GB ntfs Basic data > partition > 3 134GB 1100GB 965GB Basic data > partition >>> >>> Looks to me as though someone started to install Windows on top of your >>> box. This isn't partition data magically changed - best guess is > someone >>> started, then stopped, realizing it was the wrong box they were working >>> on. >> ay-yup, thats EXACTLY what it looks like. a NEWER version of Windows >> at that. > You mean the newer windows will create the partition schema as we are > seeing it now? And you think its the automatic partitioning by windows > if somebody has the access to this? That looks lvery much ike my Windows laptop oem partitioning scheme... 1. The hidden boot partition for a recovery install 2. The main partition (ntfs) 3. The hidden recovery data partition JD ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] data recovery
On Friday, September 23, 2011 04:29:39 PM Paras pradhan wrote: > This is a SAN drive mounted. I have checked with my storage > administrator if this has been re mapped or any similar events and he > verified that nothing has happened...(I trust him) May I ask what sort of SAN? Fibre Channel or iSCSI? Are there any access controls (such as EMC's Access Logix or zoning in the switch) in place to prevent multiple initiators connecting to a particular LUN? SAN attachment mildly complicates things; I've seen some odd LUN reshuffling before, but it was an older FLARE than what I'm currently running on our Clariions and it was something that was a corner case but was fixed in a later NDU, and it had to do with Access Logix (I don't remember the Primus number right off, as it has been several years now). If the SAN OS keeps event logs you could try to correlate with the event; beyond that you may just have to do some testing. As you say, someone somewhere had to do a repartition; the hard part is determining where the error is. Good luck. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] data recovery
On Fri, 23 Sep 2011, Michel Donais wrote: > To: CentOS mailing list > From: Michel Donais > Subject: Re: [CentOS] data recovery > > Two weeks ago I've been in similar situation on an 80 gig sata drive. > > Found it with 8 partition; boot was there but nothing of the operating > system to load Linux 5.6 > > My recovery solution was to put the disk on a window system as a secondary > drive. Just connected to read data > For reading I found a software called ' nucleus kernel linux' from > http://www.nucleustechnologies.com/Linux-Data-Recovery-Software.html > > On partition 3 I found nearly all my data files and their directories but > were missiing /etc /bin /dev There's also Parted Magic on the Ultimate Boot CD which is a Live Linux recovery distribution: New features in UBCD V5.x include: * New! The Linux-based distro Parted Magic is now included with UBCD V5.0. This should be the method of choice when you need to resize/rescue partitions, access NTFS filesystems or work with USB storage devices. http://www.ultimatebootcd.com/download.html Obviously the choice is yours which one suits your needs the best. Kind Regards, Keith Roberts - Websites: http://www.karsites.net http://www.php-debuggers.net http://www.raised-from-the-dead.org.uk All email addresses are challenge-response protected with TMDA [http://tmda.net] - ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] data recovery
Two weeks ago I've been in similar situation on an 80 gig sata drive. Found it with 8 partition; boot was there but nothing of the operating system to load Linux 5.6 My recovery solution was to put the disk on a window system as a secondary drive. Just connected to read data For reading I found a software called ' nucleus kernel linux' from http://www.nucleustechnologies.com/Linux-Data-Recovery-Software.html On partition 3 I found nearly all my data files and their directories but were missiing /etc /bin /dev Hope this help. --- Michel Donais ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] data recovery
opps thats a typo.. the 3rd partition is yes 1.1TB and not 10GB. sorry. Paras. On Fri, Sep 23, 2011 at 3:43 PM, John R Pierce wrote: > On 09/23/11 1:32 PM, Paras pradhan wrote: >> You mean the newer windows will create the partition schema as we are >> seeing it now? And you think its the automatic partitioning by windows >> if somebody has the access to this? > > i just noticed that 3rd partition is 1.1TB. you had said... > > >> Suddenly my disk device's geometry has been changed to something that >> doesnot make any sense. Its a 1.8TB in size and had only one single >> partition. Now I can see 3 partitions sde1, sde2 and sde2 of sizes >> 130M, 140GB and 10GB. > > even odder. anyways, the reason I suggested a 'newer version' of > windows, is I believe starting with Windows Vista and Server 2008, the > windows installer creates a small hidden partition for the boot stuff. > The fact that the 2nd partition is tagged as NTFS is why we suggested > Windows at all. > > > > -- > john r pierce N 37, W 122 > santa cruz ca mid-left coast > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] data recovery
On 09/23/11 1:32 PM, Paras pradhan wrote: > You mean the newer windows will create the partition schema as we are > seeing it now? And you think its the automatic partitioning by windows > if somebody has the access to this? i just noticed that 3rd partition is 1.1TB. you had said... > Suddenly my disk device's geometry has been changed to something that > doesnot make any sense. Its a 1.8TB in size and had only one single > partition. Now I can see 3 partitions sde1, sde2 and sde2 of sizes > 130M, 140GB and 10GB. even odder. anyways, the reason I suggested a 'newer version' of windows, is I believe starting with Windows Vista and Server 2008, the windows installer creates a small hidden partition for the boot stuff. The fact that the 2nd partition is tagged as NTFS is why we suggested Windows at all. -- john r pierceN 37, W 122 santa cruz ca mid-left coast ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] data recovery
On Sep 23, 2011, at 1:32 PM, Paras pradhan wrote: > On Fri, Sep 23, 2011 at 3:17 PM, John R Pierce wrote: >> On 09/23/11 12:33 PM, m.r...@5-cent.us wrote: >>> Paras pradhan wrote: > Here is o/p John > > Number Start End Size File system Name > Flags >1 17.4kB 134MB 134MB Microsoft reserved > partition msftres >2 135MB 134GB 134GB ntfs Basic data partition >3 134GB 1100GB 965GB Basic data partition >>> >>> Looks to me as though someone started to install Windows on top of your >>> box. This isn't partition data magically changed - best guess is someone >>> started, then stopped, realizing it was the wrong box they were working >>> on. >> >> ay-yup, thats EXACTLY what it looks like. a NEWER version of Windows >> at that. >> > > You mean the newer windows will create the partition schema as we are > seeing it now? And you think its the automatic partitioning by windows > if somebody has the access to this? Seems possible to me that those partitions have been there all along and no one actually noticed them Craig ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] data recovery
Paras pradhan wrote: > On Fri, Sep 23, 2011 at 3:17 PM, John R Pierce > wrote: >> On 09/23/11 12:33 PM, m.r...@5-cent.us wrote: >>> Paras pradhan wrote: > Here is o/p John > > Number Start End Size File system Name > Flags > 1 17.4kB 134MB 134MB Microsoft reserved > partition msftres > 2 135MB 134GB 134GB ntfs Basic data partition > 3 134GB 1100GB 965GB Basic data partition >>> >>> Looks to me as though someone started to install Windows on top of your >>> box. This isn't partition data magically changed - best guess is >>> someone started, then stopped, realizing it was the wrong box they >>> were working on. >> >> ay-yup, thats EXACTLY what it looks like. a NEWER version of Windows >> at that. > > You mean the newer windows will create the partition schema as we are > seeing it now? And you think its the automatic partitioning by windows > if somebody has the access to this? That's what we're thinking. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] data recovery
On Fri, Sep 23, 2011 at 3:17 PM, John R Pierce wrote: > On 09/23/11 12:33 PM, m.r...@5-cent.us wrote: >> Paras pradhan wrote: >>> > Here is o/p John >>> > >>> > Number Start End Size File system Name >>> > Flags >>> > 1 17.4kB 134MB 134MB Microsoft reserved >>> > partition msftres >>> > 2 135MB 134GB 134GB ntfs Basic data partition >>> > 3 134GB 1100GB 965GB Basic data partition >> >> Looks to me as though someone started to install Windows on top of your >> box. This isn't partition data magically changed - best guess is someone >> started, then stopped, realizing it was the wrong box they were working >> on. > > ay-yup, thats EXACTLY what it looks like. a NEWER version of Windows > at that. > You mean the newer windows will create the partition schema as we are seeing it now? And you think its the automatic partitioning by windows if somebody has the access to this? Thanks Paras. > Weird how they got disk sde and not sda but I've seen Windows having a > completely different idea of which device was '0' than Linux before... > > > > -- > john r pierce N 37, W 122 > santa cruz ca mid-left coast > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] data recovery
This is a SAN drive mounted. I have checked with my storage administrator if this has been re mapped or any similar events and he verified that nothing has happened...(I trust him) Here is one thing I have found. I dd the 1st 134MB partition to an image. and opened it with the hex editor. After that I can verify that this is the same device and was able to read the hostname, VGname etc etc. And AFAIK it is impossible to reshape or change the disk's geomerty to its original shape of anything without use intervention. This is really a mystery. Thanks Paras. On Fri, Sep 23, 2011 at 3:09 PM, Lamar Owen wrote: > On Friday, September 23, 2011 03:44:58 PM Paras pradhan wrote: >> Thanks for your detailed suggestion. Yes thats a GPT .. the o/p is from >> parted. > > Is this a removable or some sort, like USB, firewire, eSATA, hot-plug SCSI, > Fibre-channel, or SAS? Could it have been taken out to another machine at > any time? > > What kind of interfaces have sda, sdb, sdc, and sdd attached, and what kind > of interface is attached to sde? > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] data recovery
On 09/23/11 12:33 PM, m.r...@5-cent.us wrote: > Paras pradhan wrote: >> > Here is o/p John >> > >> > Number Start End Size File system Name >> > Flags >> >1 17.4kB 134MB 134MB Microsoft reserved >> > partition msftres >> >2 135MB 134GB 134GB ntfs Basic data partition >> >3 134GB 1100GB 965GB Basic data partition > > Looks to me as though someone started to install Windows on top of your > box. This isn't partition data magically changed - best guess is someone > started, then stopped, realizing it was the wrong box they were working > on. ay-yup, thats EXACTLY what it looks like. a NEWER version of Windows at that. Weird how they got disk sde and not sda but I've seen Windows having a completely different idea of which device was '0' than Linux before... -- john r pierceN 37, W 122 santa cruz ca mid-left coast ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] data recovery
On Friday, September 23, 2011 03:44:58 PM Paras pradhan wrote: > Thanks for your detailed suggestion. Yes thats a GPT .. the o/p is from > parted. Is this a removable or some sort, like USB, firewire, eSATA, hot-plug SCSI, Fibre-channel, or SAS? Could it have been taken out to another machine at any time? What kind of interfaces have sda, sdb, sdc, and sdd attached, and what kind of interface is attached to sde? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] data recovery
On Friday, September 23, 2011 03:59:17 PM Keith Roberts wrote: > If it's a production box in service, and this has > happened to it, How can it still be running? It's not the boot or root drive. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] data recovery
Keith Roberts wrote: > On Fri, 23 Sep 2011, m.r...@5-cent.us wrote: >> From: m.r...@5-cent.us >> Paras pradhan wrote: >>> Here is o/p John >>> >>> Number Start End Size File system Name >>>Flags >>> 1 17.4kB 134MB 134MB Microsoft reserved >>> partition msftres >>> 2 135MB 134GB 134GB ntfs Basic data partition >>> 3 134GB 1100GB 965GB Basic data partition >> >> Looks to me as though someone started to install Windows on top of your >> box. This isn't partition data magically changed - best guess is someone >> started, then stopped, realizing it was the wrong box they were working >> on. > > If it's a production box in service, and this has > happened to it, How can it still be running? And if it *is* a production box, then you know *exactly* what time it stopped working, and you can find out who was around. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] data recovery
On Fri, 23 Sep 2011, m.r...@5-cent.us wrote: > To: CentOS mailing list > From: m.r...@5-cent.us > Subject: Re: [CentOS] data recovery > > Paras pradhan wrote: >> Here is o/p John >> >> Number Start End Size File system Name >>Flags >> 1 17.4kB 134MB 134MB Microsoft reserved >> partition msftres >> 2 135MB 134GB 134GB ntfs Basic data partition >> 3 134GB 1100GB 965GB Basic data partition > > Looks to me as though someone started to install Windows on top of your > box. This isn't partition data magically changed - best guess is someone > started, then stopped, realizing it was the wrong box they were working > on. If it's a production box in service, and this has happened to it, How can it still be running? Keith - Websites: http://www.karsites.net http://www.php-debuggers.net http://www.raised-from-the-dead.org.uk All email addresses are challenge-response protected with TMDA [http://tmda.net] - ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] data recovery
On Fri, Sep 23, 2011 at 2:43 PM, Lamar Owen wrote: > On Friday, September 23, 2011 03:25:10 PM Paras pradhan wrote: >> Here is o/p John >> >> Number Start End Size File system Name >> Flags >> 1 17.4kB 134MB 134MB Microsoft reserved >> partition msftres >> 2 135MB 134GB 134GB ntfs Basic data partition >> 3 134GB 1100GB 965GB Basic data partition > > Uh, that's GPT. What version of fdisk did you use to generate that output? Thanks for your detailed suggestion. Yes thats a GPT .. the o/p is from parted. Paras. > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] data recovery
On Friday, September 23, 2011 03:25:10 PM Paras pradhan wrote: > Here is o/p John > > Number Start End Size File system Name >Flags > 1 17.4kB 134MB 134MB Microsoft reserved > partition msftres > 2 135MB 134GB 134GB ntfs Basic data partition > 3 134GB 1100GB 965GB Basic data partition Uh, that's GPT. What version of fdisk did you use to generate that output? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] data recovery
On Thursday, September 22, 2011 06:48:07 PM Paras pradhan wrote: > Suddenly my disk device's geometry has been changed to something that > doesnot make any sense. Its a 1.8TB in size and had only one single > partition. Now I can see 3 partitions sde1, sde2 and sde2 of sizes > 130M, 140GB and 10GB. > > Is there any way to recover data from these newly created disk devices? Perhaps. It depends totally on how much has been written to these devices. If anything has been written, you have a problem. If nothing has been written, first back up the partition table, then use fdisk to re-partition with a single partition using exactly the same start and end sectors as you had before. You will have to find out what the original first sector of the original partition was; this will depend upon a number of factors, such as which version of CentOS we're talking about. CentOS 3, 4, and 5 will probably default to a starting sector of 63; CentOS 6 defaults to a starting sector of 2048. In CentOS 5 and prior you will have to run fdisk with the -u option to set the actual starting sector, as opposed to the starting cylinder; in CentOS 6 fdisk already is set that way, and -u does something different. There are some recovery tools out there such as testdisk and photorec that don't use the filesystem to do recovery, but look for the raw data instead. There are some other forensic tools, available on specialized distributions like CAINE, Backtrack, and NST, that can help you grab usable data off the drive. But it will not be easy, and will take a long time, especially with that large of a drive. Best thing there is to make an image of the drive and work with it instead of the original drive, though. Once you have the partition table restored to the way it was, you'll probably have to locate a superblock copy somewhere on the drive. I say 'somewhere' simply because the exact locations of the backup copies vary with the size of the device and the block size used in making the filesystem (for ext2,3,and4 filesystems; if it was a different filesystem you'll have to use that filesystem's tools and techniques). But you might get really lucky if absolutely nothing has been written to those three partitions; if you get the start sector correct and absolutely nothing has written to any area of the disk except the partition table your filesystem may be in readable shape. And I mean readable; only attempt read-only mounting of such a filesystem. It's usually a good thing to keep a backup of the partition table and bootloader areas (typically the whole first cylinder-equivalent, up to the start of the first partition) for just such an emergency. As to how this might have happened, a miskeyed 'dd' or 'fdisk' by someone can easily do this. Making a new filesystem on the raw device instead of the partition can do that, too. Look in .bash_history (assuming bash) and any audit logs you might have to anything dealing with that device. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] data recovery
Paras pradhan wrote: > Here is o/p John > > Number Start End Size File system Name >Flags > 1 17.4kB 134MB 134MB Microsoft reserved > partition msftres > 2 135MB 134GB 134GB ntfs Basic data partition > 3 134GB 1100GB 965GB Basic data partition Looks to me as though someone started to install Windows on top of your box. This isn't partition data magically changed - best guess is someone started, then stopped, realizing it was the wrong box they were working on. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] data recovery
On Fri, Sep 23, 2011 at 1:32 PM, Keith Roberts wrote: > On Fri, 23 Sep 2011, Paras pradhan wrote: > *snip* > >> No. This is a production server and nobody logs in. Very >> very restricted. > > Have you checked all your logs? What ports are open? > What CLI tools to format a HDD do you have on the server? > >> >>> >>> Also, is it possible for a trojan program to do this to your >>> HDD? >> >> Are there any know trojan that can change the disk layout? > > I don't know of any. What applications do you have running > on that server? > > You say a production server. What type of server - a web > hosting provider? > > What scripting languages do you have running on the server, > if any? > > If you give me an email directly, I might be able to do a > remote login for you, and some forensics, as that is one of > my many interests. Thank you for this. Right now we are running a tool on it to recover the data. And yes logs have nothing. Paras. > > Kind Regards, > > Keith Roberts > > - > Websites: > http://www.karsites.net > http://www.php-debuggers.net > http://www.raised-from-the-dead.org.uk > > All email addresses are challenge-response protected with > TMDA [http://tmda.net] > - > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] data recovery
Here is o/p John Number Start End Size File system Name Flags 1 17.4kB 134MB 134MB Microsoft reserved partition msftres 2 135MB 134GB 134GB ntfs Basic data partition 3 134GB 1100GB 965GB Basic data partition Thanks Paras. On Fri, Sep 23, 2011 at 1:06 PM, John R Pierce wrote: > On 09/22/11 3:48 PM, Paras pradhan wrote: >> Hi, >> >> Need help on data recovery. >> >> Suddenly my disk device's geometry has been changed to something that >> doesnot make any sense. Its a 1.8TB in size and had only one single >> partition. Now I can see 3 partitions sde1, sde2 and sde2 of sizes >> 130M, 140GB and 10GB. >> >> Is there any way to recover data from these newly created disk devices? >> > > Can you share the output of ... > > fdisk -l /dev/sde > > be interesting to see just what these partitions look like in terms of > the disk layout. those sizes sort of correlate with a typical /boot / > and swap partition > > > -- > john r pierce N 37, W 122 > santa cruz ca mid-left coast > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] data recovery
Keith Roberts wrote: > On Fri, 23 Sep 2011, m.r...@5-cent.us wrote: >> From: m.r...@5-cent.us >> Keith Roberts wrote: >>> On Fri, 23 Sep 2011, Paras pradhan wrote: >>> *snip* >>> No. This is a production server and nobody logs in. Very very restricted. >>> >>> Have you checked all your logs? What ports are open? >>> What CLI tools to format a HDD do you have on the server? >> >> And then there's the other question: who has *access*, physically, to >> the server? Staff? Have any staff recently been let go? Cleaning people? > > Sounds like somebody may have stuck a Linux installation DVD > into the drive, and hit Ctrl-Alt-Del ? > > Could something like this happen by accident - ie woops I > hit the wrong machine? And there's no way they're going to admit it, esp. if they're worried about their job. Now, if the room is locked, and there's either video, or key card records mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] data recovery
On Fri, 23 Sep 2011, m.r...@5-cent.us wrote: > To: CentOS mailing list > From: m.r...@5-cent.us > Subject: Re: [CentOS] data recovery > > Keith Roberts wrote: >> On Fri, 23 Sep 2011, Paras pradhan wrote: >> *snip* >> >>> No. This is a production server and nobody logs in. Very >>> very restricted. >> >> Have you checked all your logs? What ports are open? >> What CLI tools to format a HDD do you have on the server? > > And then there's the other question: who has *access*, physically, to the > server? Staff? Have any staff recently been let go? Cleaning people? Sounds like somebody may have stuck a Linux installation DVD into the drive, and hit Ctrl-Alt-Del ? Could something like this happen by accident - ie woops I hit the wrong machine? Keith - Websites: http://www.karsites.net http://www.php-debuggers.net http://www.raised-from-the-dead.org.uk All email addresses are challenge-response protected with TMDA [http://tmda.net] - ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] data recovery
Keith Roberts wrote: > On Fri, 23 Sep 2011, Paras pradhan wrote: > *snip* > >> No. This is a production server and nobody logs in. Very >> very restricted. > > Have you checked all your logs? What ports are open? > What CLI tools to format a HDD do you have on the server? And then there's the other question: who has *access*, physically, to the server? Staff? Have any staff recently been let go? Cleaning people? mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] data recovery
On Fri, 23 Sep 2011, Paras pradhan wrote: *snip* > No. This is a production server and nobody logs in. Very > very restricted. Have you checked all your logs? What ports are open? What CLI tools to format a HDD do you have on the server? > >> >> Also, is it possible for a trojan program to do this to your >> HDD? > > Are there any know trojan that can change the disk layout? I don't know of any. What applications do you have running on that server? You say a production server. What type of server - a web hosting provider? What scripting languages do you have running on the server, if any? If you give me an email directly, I might be able to do a remote login for you, and some forensics, as that is one of my many interests. Kind Regards, Keith Roberts - Websites: http://www.karsites.net http://www.php-debuggers.net http://www.raised-from-the-dead.org.uk All email addresses are challenge-response protected with TMDA [http://tmda.net] - ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] data recovery
On 09/22/11 3:48 PM, Paras pradhan wrote: > Hi, > > Need help on data recovery. > > Suddenly my disk device's geometry has been changed to something that > doesnot make any sense. Its a 1.8TB in size and had only one single > partition. Now I can see 3 partitions sde1, sde2 and sde2 of sizes > 130M, 140GB and 10GB. > > Is there any way to recover data from these newly created disk devices? > Can you share the output of ... fdisk -l /dev/sde be interesting to see just what these partitions look like in terms of the disk layout.those sizes sort of correlate with a typical /boot / and swap partition -- john r pierceN 37, W 122 santa cruz ca mid-left coast ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] data recovery
On Fri, Sep 23, 2011 at 12:07 PM, Keith Roberts wrote: > On Thu, 22 Sep 2011, Paras pradhan wrote: > >> To: CentOS mailing list >> From: Paras pradhan >> Subject: [CentOS] data recovery >> >> Hi, >> >> Need help on data recovery. >> >> Suddenly my disk device's geometry has been changed to >> something that does not make any sense. Its a 1.8TB in >> size and had only one single > partition. Now I can see 3 >> partitions sde1, sde2 and sde2 of sizes 130M, 140GB and >> 10GB. >> >> Is there any way to recover data from these newly created >> disk devices? > > Hi Paras. > > AFAIK disks don't get partitioned out of the blue. Yes true. We are trying to find the out how it happened when nobody did anything to this server. > > They need some sort of intervention to make this happen. > > What have you done just before this happened? > > Did you try to do an installation of Linux, or something > else? No. This is a production server and nobody logs in. Very very restricted. > > Also, is it possible for a trojan program to do this to your > HDD? Are there any know trojan that can change the disk layout? > > Kind Regards, > > Keith Roberts Thanks Paras. > > - > Websites: > http://www.karsites.net > http://www.php-debuggers.net > http://www.raised-from-the-dead.org.uk > > All email addresses are challenge-response protected with > TMDA [http://tmda.net] > - > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] data recovery
On Thu, 22 Sep 2011, Paras pradhan wrote: > To: CentOS mailing list > From: Paras pradhan > Subject: [CentOS] data recovery > > Hi, > > Need help on data recovery. > > Suddenly my disk device's geometry has been changed to > something that does not make any sense. Its a 1.8TB in > size and had only one single > partition. Now I can see 3 > partitions sde1, sde2 and sde2 of sizes 130M, 140GB and > 10GB. > > Is there any way to recover data from these newly created > disk devices? Hi Paras. AFAIK disks don't get partitioned out of the blue. They need some sort of intervention to make this happen. What have you done just before this happened? Did you try to do an installation of Linux, or something else? Also, is it possible for a trojan program to do this to your HDD? Kind Regards, Keith Roberts - Websites: http://www.karsites.net http://www.php-debuggers.net http://www.raised-from-the-dead.org.uk All email addresses are challenge-response protected with TMDA [http://tmda.net] - ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] data recovery
Hi, Need help on data recovery. Suddenly my disk device's geometry has been changed to something that doesnot make any sense. Its a 1.8TB in size and had only one single partition. Now I can see 3 partitions sde1, sde2 and sde2 of sizes 130M, 140GB and 10GB. Is there any way to recover data from these newly created disk devices? Thanks Paras. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Data recovery with superblocks?
On Friday 17 August 2007 22:12:57 Scott Ehrlich wrote: > Now, using fdisk, I was reminded of being given superblocks. Although I > haven't used data recovery techniques using superblocks, is there a way to > retrieve the superblock numbers the OS has assigned to a partition? > sudo dumpe2fs /dev/sda3 |grep super -- Tomasz Napierala System Administrator Allegro Team http://www.allegro.pl/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Data recovery with superblocks?
It recently occurred to me, as I was partitioning a RAID with fdisk, that when I built the system, I was presented with a graphical utility that "magically" created the partitions. Now, using fdisk, I was reminded of being given superblocks. Although I haven't used data recovery techniques using superblocks, is there a way to retrieve the superblock numbers the OS has assigned to a partition? Thanks. Scott ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
