Linux partition superblocks destroyed. Suggestions?
June 7, 2005 2:01 PM Subscribe
Our linux server got invaded and the intruder scrambled the superblocks, probably to cover his tracks. Not realizing what had happened, we (gulp) cycled the machine without first attempting any backups. Do we have any options?
The filesystems that we're concerned with are ext2 partitions. I guess I just can't think of the right keywords to google for this; the pages I get are generally far too simple ("the superblock is...") to be useful. What are our options for rebuilding this disk, if possible? Not expecting detailed instructions, but rather (hopefully) good website references.
The filesystems that we're concerned with are ext2 partitions. I guess I just can't think of the right keywords to google for this; the pages I get are generally far too simple ("the superblock is...") to be useful. What are our options for rebuilding this disk, if possible? Not expecting detailed instructions, but rather (hopefully) good website references.
Oh, uh, website references? You'll want to search mailing lists, probably, like ext3-users or ext2-devel . There are lots of people on Usenet with damaged superblocks, too, many of whom have received responses, although a lot of them managed to screw up their partition table rather than their superblock.
I meant to mention the -S option to mke2fs in my previous post, which tells it to only rewrite the superblock -- but use only if you're sure you need to.
(For those of you reading along at home, or coming across this in the archives, or whatever: have some background information on ext2 superblocks from Mark-Jason Dominus.)
posted by mendel at 2:37 PM on June 7, 2005
I meant to mention the -S option to mke2fs in my previous post, which tells it to only rewrite the superblock -- but use only if you're sure you need to.
(For those of you reading along at home, or coming across this in the archives, or whatever: have some background information on ext2 superblocks from Mark-Jason Dominus.)
posted by mendel at 2:37 PM on June 7, 2005
Response by poster: Mendel, thanks much. We've already created a mirror using dd, so any attemptetd solution is on the table. In terms of expertise, the system administrators (including me) have had some experience building linux systems, adding/removing software, backing up, etc, but no catastrophic data recovery as yet. I'll check out those links, thanks again.
posted by rkent at 3:39 PM on June 7, 2005
posted by rkent at 3:39 PM on June 7, 2005
« Older Installing OS X without a DVD burner | Origin of the human as half angel, half devil? Newer »
This thread is closed to new comments.
Have you tried to repair it with fsck? If not, don't, but use fsck to find out what's wrong. The e2fsck manual page documents how to find the alternate superblocks in the section on the -b switch.
So, if you haven't run fsck on it, do so:If you have, try with another superblock:Of course, replace "16384" and "/dev/hda1" with the right values for your filesystem!
It might be clear if it's recoverable from an alternate superblock, or it might not. You might wish to work with an image of the filesystem instead of the filesystem itself, or at least take an image before you work. 'dd' on a working box is probably the easiest way to do so.
Of course, if the data is valuable, you may be better off having a recovery specialist recover the filesystem than trying to do so yourself.
(I realize that's a very short answer for a difficult problem, but I'm having a hard time figuring out what you've done so far, what your experience level is, and what you've seen to reach the conclusions you reached.)
posted by mendel at 2:23 PM on June 7, 2005