Page 1 of 2 12 LastLast
Results 1 to 25 of 48
  1. #1
    Join Date
    Apr 2006
    Posts
    72

    Someone did rm -rf / on my server

    I was logged in under the root ...and someone in my office did run this command..

    rm -rf /

    Now.i can't ftp to the server nor enter the shell panel..it's a cpanel server..

    Please guide what needs to be done.. i have asked to reboot the server and don't know what should be done here..

    I have 40-50 sites on this server and none seems to be loading right now..

    Any help is appreciated..

  2. #2
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    1) Do not reboot.

    2) You do realize what that command does, right?

    3) Does the command ls work?
    RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca

    www.HostingSecList.com - Security Notices for the Hosting Community.

  3. #3
    Join Date
    Jun 2002
    Location
    Waco, TX
    Posts
    5,623
    rm -rf /, just wiped out your entire server, time to pull out the backups!

  4. #4
    Join Date
    Apr 2006
    Posts
    72
    The server has been rebooted..However we had a backup server..but will that bring everything..??
    I mean the mysql and the email data..

  5. #5
    Join Date
    Jun 2002
    Location
    Waco, TX
    Posts
    5,623
    Quote Originally Posted by wtim View Post
    The server has been rebooted..However we had a backup server..but will that bring everything..??
    I mean the mysql and the email data..
    It depends, do your backups contain the mysql and email partitions/files?

  6. #6
    Join Date
    Apr 2006
    Posts
    72
    I
    Quote Originally Posted by (Stephen) View Post
    It depends, do your backups contain the mysql and email partitions/files?
    I don't know..we had a second drive configured on that server for weekly backups...does that backup mysql as well??

  7. #7
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    Quote Originally Posted by wtim View Post
    does that backup mysql as well??
    You should hope so, along with hoping the rm -rf / didn't erase the backup drive if it was mounted too.

  8. #8
    Join Date
    Apr 2006
    Posts
    72
    Quote Originally Posted by Pat H View Post
    You should hope so, along with hoping the rm -rf / didn't erase the backup drive if it was mounted too.
    Yes..it was mounted..but I don't know as I am not being able to login to the shell prompt..

    I can feel I am having a bad day..my entire work of 2-3 years has gone in vain if there isn't anything much to be done..

    I have a 3rd party backup as well..but I only have www files over there..I am just scared of the mysql databases..because there really isn't any way to backthem up..

  9. #9
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    Quote Originally Posted by wtim View Post
    Yes..it was mounted..but I don't know as I am not being able to login to the shell prompt..

    I can feel I am having a bad day..my entire work of 2-3 years has gone in vain if there isn't anything much to be done..

    I have a 3rd party backup as well..but I only have www files over there..I am just scared of the mysql databases..because there really isn't any way to backthem up..


    All you can do now is ask your data center to check the backup hard drive to see if the content is intact.

    If the content is no longer available, you could have the drive sent to a data recovery company, that is assuming your data center will release the hard drive to you.

  10. #10
    Join Date
    Apr 2006
    Posts
    72
    Quote Originally Posted by Pat H View Post


    All you can do now is ask your data center to check the backup hard drive to see if the content is intact.

    If the content is no longer available, you could have the drive sent to a data recovery company, that is assuming your data center will release the hard drive to you.
    Our server is on layeredtech ..and they are a self managed company..I heard from the technician that they don't do restore stuff..however they can reload the OS and asking me to restore from the secondary drive...( considering if the data is still there )..

  11. #11
    Join Date
    Apr 2006
    Posts
    72
    Can someone tell me where does the .sql file resides in a CPanel server for every account created..

    let's say..i have abc.com on a cpanel server..and have 3 db's ..can you tell where can i find the sql files for them in a server??

  12. #12
    Join Date
    Apr 2006
    Posts
    72
    Just recieved a message from the datacenter that they can't enter into any run levels even from the single user mode..

    The only option they suggest is to reload the primary drive OS and see if the data still exists in secondary drive and could be restored..

    What do you guys think..

    a) Will the data exists on the secondary drive.
    b) Reloading the OS on the primary drive effect the secondary drive.


    I am just thinking..if the secondary drive data also got deleted..then there is no option i believe..??

  13. #13
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    Quote Originally Posted by wtim View Post
    a) Will the data exists on the secondary drive.
    b) Reloading the OS on the primary drive effect the secondary drive.
    If the secondary hard drive was mounted and the rm -rf / command was left to execute, then there's a good chance the data has been erased. Hopefully by some fluke, it's still there...

    Reloading the OS on the primary hard drive should have no effect on the secondary drive. The biggest concern would be a data center technician not paying attention and accidentally formatting the drive, or installing the OS on it... make sure they are well aware to not touch the secondary drive.

  14. #14
    Join Date
    Apr 2006
    Posts
    72
    Quote Originally Posted by Pat H View Post
    If the secondary hard drive was mounted and the rm -rf / command was left to execute, then there's a good chance the data has been erased. Hopefully by some fluke, it's still there...

    Reloading the OS on the primary hard drive should have no effect on the secondary drive. The biggest concern would be a data center technician not paying attention and accidentally formatting the drive, or installing the OS on it... make sure they are well aware to not touch the secondary drive.
    They said..they would reloading the OS on a seperate drive..keeping the two primary and secondary drive untouched...

    Let's keep the fingers crossed..and thanks PatH for the responses..it;s you guys who keep the noobs alive by these response..really much appreicated..

  15. #15
    Join Date
    Aug 2006
    Location
    Canada
    Posts
    763
    Who would do such thing in your office? I'll need to be careful too after hearing this, somebody might come over and just do it for the fun of it.
    Otto Yiu
    Rsync Palace ● Providing offsite backups since 2007.
    Backomatic ● Hassle-free Automated cPanel/WHM, DirectAdmin, FTP, and MySQL backups.

  16. #16
    Join Date
    Oct 2005
    Posts
    439
    Quote Originally Posted by -OY- View Post
    Who would do such thing in your office? I'll need to be careful too after hearing this, somebody might come over and just do it for the fun of it.
    yeah I was wondering the same....

    I guess you must have stepped away and left your computer unlocked? If you wiped out a fortune 500 company's data like that, chances are you might go to jail. So whoever did this to you, you need to try and find them and have them face the penalty. If you know who it might be, report them to your manager (assuming by office you meant your day job). I would even consider a lawsuit against the offender. That's BS!
    Last edited by subzer0; 03-05-2008 at 01:38 AM.

  17. #17
    Join Date
    Jan 2003
    Location
    U.S.A.
    Posts
    3,928
    I'm so sorry to hear that someone would do something like this. I will be a little more cautious when logged in as root.

  18. #18
    Join Date
    Jan 2004
    Location
    Greece
    Posts
    2,211
    I haven't test what happens when rm -fr / deletes the /bin/rm

    Does deleting of files still continue or it stops? I think it continues because the command loaded on the memory.

  19. #19
    Join Date
    Jul 2004
    Posts
    63
    would be handy to be able to setup a password when removing files from certain directories, suppose this is where not using root directly comes in.

    If you've run "rm -rf /" than i would say it would remove all data in your mounts. Your only option is to have the hard disk sent to you or a 3rd party company for data recovery, it may even be possible to pay layeredtech do do such a thing but i'm thinking this is your only option.
    Cast-Control
    --------------
    Shoutcast Control Panel - Standalone - Billing Features - GeoIP Features - Stream Authentication - MSN Control - Cluster - Reselling - Video Streaming
    Managed VPS Hosting

  20. #20
    Join Date
    Apr 2006
    Posts
    72
    Quote Originally Posted by Extreme43 View Post

    If you've run "rm -rf /" than i would say it would remove all data in your mounts.
    This is what scaring me the most..I have all the data files backed up..but not the database..on a 3rd party server...

    I can easily restore all the php., html files from the 3rd disk..but it won't function until the whole DB is not there...

  21. #21
    Join Date
    Jul 2004
    Posts
    63
    How old is the backup and what directories are you backing up? If you have the files backed up than the mysql files should still be intact (depending on your backup scheme).

    Checkout /var/lib/mysql/ on your backup, if you have backed this up you will most likely find the files within this directory. If not, do a search for *.MYD and *.MYI (MySQL)files and hopefully it will come up with something.

    I would say the last resort would be to contact your customers, offer them a refund for the full or partial period with a free future month or two thrown in if they wish to continue your services - ask them if they have made there own backups, you will find often that customers wont trust hosting services and make there own regular backups.

    Than you would be on your steps to recovering your business, if your customers want something - throw it in free. After all, you were responsible for there websites and you have failed (no intentional offense). If it were me i would probably make the person responsible for running that command take on the bulk of the work (if they are your employee that is).
    Cast-Control
    --------------
    Shoutcast Control Panel - Standalone - Billing Features - GeoIP Features - Stream Authentication - MSN Control - Cluster - Reselling - Video Streaming
    Managed VPS Hosting

  22. #22
    Join Date
    Apr 2006
    Posts
    72
    Quote Originally Posted by Extreme43 View Post
    How old is the backup and what directories are you backing up? If you have the files backed up than the mysql files should still be intact (depending on your backup scheme).

    Checkout /var/lib/mysql/ on your backup, if you have backed this up you will most likely find the files within this directory. If not, do a search for *.MYD and *.MYI (MySQL)files and hopefully it will come up with something.

    I would say the last resort would be to contact your customers, offer them a refund for the full or partial period with a free future month or two thrown in if they wish to continue your services - ask them if they have made there own backups, you will find often that customers wont trust hosting services and make there own regular backups.

    Than you would be on your steps to recovering your business, if your customers want something - throw it in free. After all, you were responsible for there websites and you have failed (no intentional offense). If it were me i would probably make the person responsible for running that command take on the bulk of the work (if they are your employee that is).

    Yeah..I am all at this..I have already informed the clients and offer them a solution..they are happy with it..

    Unfortunately..I just backed up the home partition and nothing else.....which was the problem..
    We haven't recieved any notice from the datacenter about the second drive..which is what I am waiting for at the moment...If the second drive data is also deleted..then the only solution left for me is to start fresh with copying just the files from the 3rd server..
    Now.. Is there any way to transfer the files from one FTP server to another server.using a ftp software.i.e 2 remote servers..as it would be impossible for me to copy 1 files each from the linux server..or download them on a local machine and then re-upload on the main machine..

  23. #23
    Join Date
    Jul 2004
    Posts
    63
    ok, glad to see your customers are understanding with the situation. I don't see why it would be impossible to copy the files, you could tar the home directory - move it to the webserver and wget it into your other server. Than simply untar the files.

    You could use a site-to-site transfer (FXP i think it is) but it would take forever for the fact there are would be so many individual files.

    I still think you should look into a data recovery service, it is not as difficult as it sounds. To break it down, when you delete a file on the disk the sector/block is simply set to "Allow data to overwrite" and your data is NOT destroyed. I know this applies to NTFS but am unsure about others - wouldn't see a reason not too.

    Furthermore your customers will be impressed to see this.
    Cast-Control
    --------------
    Shoutcast Control Panel - Standalone - Billing Features - GeoIP Features - Stream Authentication - MSN Control - Cluster - Reselling - Video Streaming
    Managed VPS Hosting

  24. #24
    Join Date
    Apr 2006
    Posts
    72
    Quote Originally Posted by Extreme43 View Post
    ok, glad to see your customers are understanding with the situation. I don't see why it would be impossible to copy the files, you could tar the home directory - move it to the webserver and wget it into your other server. Than simply untar the files.

    You could use a site-to-site transfer (FXP i think it is) but it would take forever for the fact there are would be so many individual files.

    I still think you should look into a data recovery service, it is not as difficult as it sounds. To break it down, when you delete a file on the disk the sector/block is simply set to "Allow data to overwrite" and your data is NOT destroyed. I know this applies to NTFS but am unsure about others - wouldn't see a reason not too.

    Furthermore your customers will be impressed to see this.
    Yeah...I would request the LT guys to check with data recovery on the primary drive which will be kept on a pending que..but I am not sure how much it might cost ....and since they are a self managed company..I doubt they would escalate the process of data recovery on the primary drive..

    Yeah..I would try the TAR option ..just wanted to check if there is an easier process..However..since the server is a CPANEL server..does the mail folder in the /home/x123/mail/ would still contain all the mails??

  25. #25
    Join Date
    May 2006
    Location
    EU & USA
    Posts
    3,684
    OMG, i hope you find out who did this, these are no jokes. Can't imagine anyone would do this to any server. Lesson learned : Off-site backups no mounts.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •