Tags:




Linux partition superblocks destroyed. Suggestions?
June 7, 2005 2:01 PM   RSS feed for this thread Subscribe

Our linux server got invaded and the intruder scrambled the superblocks, probably to cover his tracks. Not realizing what had happened, we (gulp) cycled the machine without first attempting any backups. Do we have any options?

The filesystems that we're concerned with are ext2 partitions. I guess I just can't think of the right keywords to google for this; the pages I get are generally far too simple ("the superblock is...") to be useful. What are our options for rebuilding this disk, if possible? Not expecting detailed instructions, but rather (hopefully) good website references.
posted by rkent to computers & internet (3 comments total)
There's more than one superblock on an ext2 partition. Did he wipe them all?

Have you tried to repair it with fsck? If not, don't, but use fsck to find out what's wrong. The e2fsck manual page documents how to find the alternate superblocks in the section on the -b switch.

So, if you haven't run fsck on it, do so:
fsck -n /dev/hda1
If you have, try with another superblock:
fsck -b 16384 -n /dev/hda1
Of course, replace "16384" and "/dev/hda1" with the right values for your filesystem!

It might be clear if it's recoverable from an alternate superblock, or it might not. You might wish to work with an image of the filesystem instead of the filesystem itself, or at least take an image before you work. 'dd' on a working box is probably the easiest way to do so.

Of course, if the data is valuable, you may be better off having a recovery specialist recover the filesystem than trying to do so yourself.

(I realize that's a very short answer for a difficult problem, but I'm having a hard time figuring out what you've done so far, what your experience level is, and what you've seen to reach the conclusions you reached.)
posted by mendel at 2:23 PM on June 7, 2005


Oh, uh, website references? You'll want to search mailing lists, probably, like ext3-users or ext2-devel . There are lots of people on Usenet with damaged superblocks, too, many of whom have received responses, although a lot of them managed to screw up their partition table rather than their superblock.

I meant to mention the -S option to mke2fs in my previous post, which tells it to only rewrite the superblock -- but use only if you're sure you need to.

(For those of you reading along at home, or coming across this in the archives, or whatever: have some background information on ext2 superblocks from Mark-Jason Dominus.)
posted by mendel at 2:37 PM on June 7, 2005


Mendel, thanks much. We've already created a mirror using dd, so any attemptetd solution is on the table. In terms of expertise, the system administrators (including me) have had some experience building linux systems, adding/removing software, backing up, etc, but no catastrophic data recovery as yet. I'll check out those links, thanks again.
posted by rkent at 3:39 PM on June 7, 2005


« Older I have: 1) G3 iBook 500 runnin...   |   Who is the originator of the f... Newer »

You are not logged in, either login or create an account to post comments



Related Questions
Pimp my NOC June 10, 2008
Linux GUI-oriented programming languages March 31, 2008
Geek self-study November 9, 2007
Help me find a cool little unix http utility I... June 23, 2007
Basic Linux Maintenance April 4, 2007