An entire server was hacked and he did some massive damage. Had DC install new HD and made old HD secondary drive. Running WHM what would be the best way to see what i have on secondary drive to salvage, including accounts and their websites.
Sorry for the misunderstanding. After he did his buisness the datecenter installed the new drive with a fresh cpanel installed. The datacenter then set the old hard drive )with the corrupt files and account/settings on it), as the secondary drive.
This may be of some use describing what the hacker did:
We have ran chkrootkit and rootkithunter on your server to find out the infected files after the hack and we found following results.
/usr/bin/md5sum [ BAD ]
Rootkit 'SHV4'... [ Warning! ]
Checking files attributes [ Special attributes found! ]
Scanned files: 342
Possible infected files: 2
Possible rootkits: SHV4 SHV5
Vulnerable applications: 3
Also we found that the user group and users information has been changed.
The results of those 2 root kits being on the server is a bit disasterous. Many of the system tools I use to investigate what is going on are broken for one reason or another
(ps ax and top both yeild 'Bus error (core dumped)')
Making my investigation's usefulness limited at best.
For some reason there are also no logs on your server, which were proboably deleted by the rootkit.