Sleuthkit + Autopsy :: Recover Deleted Files And More
Aug 19, 2008A life-saver for naive admins who have inadvertently deleted files and are groping in the dark for help.
View 0 RepliesA life-saver for naive admins who have inadvertently deleted files and are groping in the dark for help.
View 0 RepliesI deleted one of our databases from PLESK in mistake, now how can I recover that database ? my backup is very old and I cannot use backup file.
this is urgent , I'm in bad situation please help me.
my server is Linux.
I found this article :
[url]
I don't know this article can help me or not
My server with Plesk 11 died a few days ago. I now have a new server with Plesk 12.
I have the entire /var folder copied up from the old server.
How do I restore emails to the new server? Can I simply copy /var/qmail/mailnames/domain.name from the backed up /var folder into the corresponding folder on the new server?
My /var partition is getting full and most of the problem seems to be with the files in /var/cache/logwatch/ using up all the space. Can those be deleted?
View 4 Replies View RelatedI just deleted several large files via FTP, but when I go in to SSH they still appear. Is there some sort of lag or something?
View 1 Replies View RelatedAfter installing Kernels seems /boot is boing to be full soon. Which files can be safely deleted ? Mean lets say to keep the latest Kernel and previous version:
root@[/boot]# ls -la
total 70317
drwxr-xr-x 4 root root 3072 Dec 4 11:28 ./
drwxr-xr-x 22 root root 4096 Sep 29 10:41 ../
-rwxr--r-- 1 root root 6144 Nov 9 2006 aquota.user*
-rw-r--r-- 1 root root 48736 Sep 28 2005 config-2.4.21-37.EL
-rw-r--r-- 1 root root 48851 Sep 28 2005 config-2.4.21-37.ELsmp
-rw-r--r-- 1 root root 48951 Oct 19 2006 config-2.4.21-47.0.1.EL
-rw-r--r-- 1 root root 49066 Oct 19 2006 config-2.4.21-47.0.1.ELsmp
-rw-r--r-- 1 root root 49066 Aug 1 2006 config-2.4.21-47.ELsmp
-rw-r--r-- 1 root root 48951 Jun 11 18:29 config-2.4.21-50.EL
-rw-r--r-- 1 root root 49066 Jun 11 18:21 config-2.4.21-50.ELsmp
-rw-r--r-- 1 root root 48951 Aug 16 17:11 config-2.4.21-51.EL
-rw-r--r-- 1 root root 49066 Aug 16 17:03 config-2.4.21-51.ELsmp
-rw-r--r-- 1 root root 48951 Sep 27 18:38 config-2.4.21-52.EL
-rw-r--r-- 1 root root 49066 Sep 27 18:30 config-2.4.21-52.ELsmp
-rw-r--r-- 1 root root 48951 Dec 3 13:51 config-2.4.21-53.EL
-rw-r--r-- 1 root root 49066 Dec 3 13:42 config-2.4.21-53.ELsmp
drwxr-xr-x 2 root root 1024 Dec 4 11:28 grub/
-rw-r--r-- 1 root root 276201 May 5 2006 initrd-2.4.21-37.EL.img
-rw-r--r-- 1 root root 283119 May 5 2006 initrd-2.4.21-37.ELsmp.img
-rw-r--r-- 1 root root 282640 Apr 10 2007 initrd-2.4.21-47.0.1.EL.img
-rw-r--r-- 1 root root 289544 Oct 21 2006 initrd-2.4.21-47.0.1.ELsmp.img
-rw-r--r-- 1 root root 289539 Sep 23 2006 initrd-2.4.21-47.ELsmp.img
-rw-r--r-- 1 root root 282779 Jun 26 22:04 initrd-2.4.21-50.EL.img
-rw-r--r-- 1 root root 289656 Jun 26 22:03 initrd-2.4.21-50.ELsmp.img
-rw-r--r-- 1 root root 282783 Aug 21 05:32 initrd-2.4.21-51.EL.img
-rw-r--r-- 1 root root 289652 Aug 21 05:32 initrd-2.4.21-51.ELsmp.img
-rw-r--r-- 1 root root 282781 Sep 28 08:22 initrd-2.4.21-52.EL.img
-rw-r--r-- 1 root root 289649 Sep 28 08:23 initrd-2.4.21-52.ELsmp.img
-rw-r--r-- 1 root root 282778 Dec 4 11:27 initrd-2.4.21-53.EL.img
-rw-r--r-- 1 root root 289653 Dec 4 11:28 initrd-2.4.21-53.ELsmp.img
-rw-r--r-- 1 root root 547 May 5 2006 kernel.h
drwx------ 2 root root 12288 May 5 2006 lost+found/
-rw-r--r-- 1 root root 10213 Jan 4 2005 message
-rw-r--r-- 1 root root 10213 Jan 4 2005 message.ja
-rwxr--r-- 1 root root 32 Nov 9 2006 quota.user*
lrwxrwxrwx 1 root root 26 Sep 29 09:37 System.map -> System.map-2.4.21-52.ELsmp
-rw-r--r-- 1 root root 578588 Sep 28 2005 System.map-2.4.21-37.EL
-rw-r--r-- 1 root root 606073 Sep 28 2005 System.map-2.4.21-37.ELsmp
-rw-r--r-- 1 root root 580154 Oct 19 2006 System.map-2.4.21-47.0.1.EL
-rw-r--r-- 1 root root 607622 Oct 19 2006 System.map-2.4.21-47.0.1.ELsmp
-rw-r--r-- 1 root root 607622 Aug 1 2006 System.map-2.4.21-47.ELsmp
-rw-r--r-- 1 root root 580321 Jun 11 18:29 System.map-2.4.21-50.EL
-rw-r--r-- 1 root root 607789 Jun 11 18:21 System.map-2.4.21-50.ELsmp
-rw-r--r-- 1 root root 580321 Aug 16 17:11 System.map-2.4.21-51.EL
-rw-r--r-- 1 root root 607789 Aug 16 17:03 System.map-2.4.21-51.ELsmp
-rw-r--r-- 1 root root 580321 Sep 27 18:38 System.map-2.4.21-52.EL
-rw-r--r-- 1 root root 607789 Sep 27 18:30 System.map-2.4.21-52.ELsmp
-rw-r--r-- 1 root root 580321 Dec 3 13:51 System.map-2.4.21-53.EL
-rw-r--r-- 1 root root 607789 Dec 3 13:42 System.map-2.4.21-53.ELsmp
-rwxr-xr-x 1 root root 2908624 Sep 28 2005 vmlinux-2.4.21-37.EL*
-rwxr-xr-x 1 root root 3543696 Sep 28 2005 vmlinux-2.4.21-37.ELsmp*
-rwxr-xr-x 1 root root 2912724 Oct 19 2006 vmlinux-2.4.21-47.0.1.EL*
-rwxr-xr-x 1 root root 3551892 Oct 19 2006 vmlinux-2.4.21-47.0.1.ELsmp*
-rwxr-xr-x 1 root root 3551888 Aug 1 2006 vmlinux-2.4.21-47.ELsmp*
-rwxr-xr-x 1 root root 2912720 Jun 11 18:29 vmlinux-2.4.21-50.EL*
-rwxr-xr-x 1 root root 3551888 Jun 11 18:21 vmlinux-2.4.21-50.ELsmp*
-rwxr-xr-x 1 root root 2912720 Aug 16 17:11 vmlinux-2.4.21-51.EL*
-rwxr-xr-x 1 root root 3551888 Aug 16 17:03 vmlinux-2.4.21-51.ELsmp*
-rwxr-xr-x 1 root root 2912720 Sep 27 18:38 vmlinux-2.4.21-52.EL*
-rwxr-xr-x 1 root root 3551888 Sep 27 18:30 vmlinux-2.4.21-52.ELsmp*
-rwxr-xr-x 1 root root 2912720 Dec 3 13:51 vmlinux-2.4.21-53.EL*
-rwxr-xr-x 1 root root 3551888 Dec 3 13:42 vmlinux-2.4.21-53.ELsmp*
-rw-r--r-- 1 root root 1252609 Sep 28 2005 vmlinuz-2.4.21-37.EL
-rw-r--r-- 1 root root 1363969 Sep 28 2005 vmlinuz-2.4.21-37.ELsmp
-rw-r--r-- 1 root root 1260075 Oct 19 2006 vmlinuz-2.4.21-47.0.1.EL
-rw-r--r-- 1 root root 1368141 Oct 19 2006 vmlinuz-2.4.21-47.0.1.ELsmp
-rw-r--r-- 1 root root 1367751 Aug 1 2006 vmlinuz-2.4.21-47.ELsmp
-rw-r--r-- 1 root root 1260875 Jun 11 18:29 vmlinuz-2.4.21-50.EL
-rw-r--r-- 1 root root 1370368 Jun 11 18:21 vmlinuz-2.4.21-50.ELsmp
-rw-r--r-- 1 root root 1260877 Aug 16 17:11 vmlinuz-2.4.21-51.EL
-rw-r--r-- 1 root root 1370369 Aug 16 17:03 vmlinuz-2.4.21-51.ELsmp
-rw-r--r-- 1 root root 1260879 Sep 27 18:38 vmlinuz-2.4.21-52.EL
-rw-r--r-- 1 root root 1370369 Sep 27 18:30 vmlinuz-2.4.21-52.ELsmp
-rw-r--r-- 1 root root 1260893 Dec 3 13:51 vmlinuz-2.4.21-53.EL
-rw-r--r-- 1 root root 1370450 Dec 3 13:42 vmlinuz-2.4.21-53.ELsmp
root@[/boot]#
This is the /etc/grub.conf
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/sda2
# initrd /initrd-version.img
#boot=/dev/sda
default=0
timeout=10
splashimage=(hd0,0)/grub/splash.xpm.gz
title CentOS (2.4.21-53.ELsmp)
root (hd0,0)
kernel /vmlinuz-2.4.21-53.ELsmp ro root=LABEL=/
initrd /initrd-2.4.21-53.ELsmp.img
title CentOS (2.4.21-53.EL)
root (hd0,0)
kernel /vmlinuz-2.4.21-53.EL ro root=LABEL=/
initrd /initrd-2.4.21-53.EL.img
title CentOS (2.4.21-52.ELsmp)
root (hd0,0)
kernel /vmlinuz-2.4.21-52.ELsmp ro root=LABEL=/
initrd /initrd-2.4.21-52.ELsmp.img
title CentOS (2.4.21-52.EL)
root (hd0,0)
kernel /vmlinuz-2.4.21-52.EL ro root=LABEL=/
initrd /initrd-2.4.21-52.EL.img
title CentOS (2.4.21-51.ELsmp)
root (hd0,0)
kernel /vmlinuz-2.4.21-51.ELsmp ro root=LABEL=/
initrd /initrd-2.4.21-51.ELsmp.img
title CentOS (2.4.21-51.EL)
root (hd0,0)
kernel /vmlinuz-2.4.21-51.EL ro root=LABEL=/
initrd /initrd-2.4.21-51.EL.img
title CentOS (2.4.21-50.EL)
root (hd0,0)
kernel /vmlinuz-2.4.21-50.EL ro root=LABEL=/
initrd /initrd-2.4.21-50.EL.img
title CentOS (2.4.21-50.ELsmp)
root (hd0,0)
kernel /vmlinuz-2.4.21-50.ELsmp ro root=LABEL=/
initrd /initrd-2.4.21-50.ELsmp.img
title CentOS (2.4.21-47.0.1.EL)
root (hd0,0)
kernel /vmlinuz-2.4.21-47.0.1.EL ro root=LABEL=/
initrd /initrd-2.4.21-47.0.1.EL.img
title CentOS (2.4.21-47.0.1.ELsmp)
root (hd0,0)
kernel /vmlinuz-2.4.21-47.0.1.ELsmp ro root=LABEL=/
initrd /initrd-2.4.21-47.0.1.ELsmp.img
title CentOS (2.4.21-47.ELsmp)
root (hd0,0)
kernel /vmlinuz-2.4.21-47.ELsmp ro root=LABEL=/
initrd /initrd-2.4.21-47.ELsmp.img
title CentOS-3 (2.4.21-37.ELsmp)
root (hd0,0)
kernel /vmlinuz-2.4.21-37.ELsmp ro root=LABEL=/
initrd /initrd-2.4.21-37.ELsmp.img
title CentOS-3-up (2.4.21-37.EL)
root (hd0,0)
kernel /vmlinuz-2.4.21-37.EL ro root=LABEL=/
initrd /initrd-2.4.21-37.EL.img
I recently updated from 11.5 to 12. After the update, my PHP session files are no longer being deleted.
I followed the steps in article 119500 [URL] ..... I was able to run the steps manually but cron does not seem to able to run them automatically.
The PHP sessions folder permissions seem correct:
drwx-wx-wt 2 root root 548864 Sep 21 12:12 session
The "/etc/php.ini" file seems reasonable and the session file path seems correct:
session.save_path = "/var/lib/php/session"
But the session files never get deleted automatically. The session folder fills up quickly and I have been deleting session files manually while trying to resolve the problem. How can I verify that the default Plesk cron jobs are set up and running properly?
When you delete a site backup from its "Backup Manager" Panel, it is removed and no longer displayed in the Panel. However, I cannot tell if this action actually does anything with the real site backup files in "/var/lib/psa/dumps". Does this action merely remove it from PSA's database but not touch any actual files? If this is true, then how are site backup files supposed to be managed if this action doesn't actually delete them?
View 3 Replies View RelatedI've had some recurring problems with my host, VPSLink. For some reason startup scripts and init files keep on being deleted and I can't reach my site. I am indeed a bit of an amateur at maintaining a site but I haven't messed with these files or deleted them. What could be going on? An attack from someone on the web? Or some kind of VPSLink related problem?
This is part of the latest reply I got from VPSLink:We have managed to get your VPS back online. It appears some Ubuntu package changed the way networking is started/shut down which removes the /var/run/network directory completely. This directory contains the 'ifstate' file, which OpenVZ uses to set up the network interfaces.
The site is indeed up and running again so I'm not desperate, but I would very much like to understand what's going on here.
im doing this in favor of my friend who is having some problem with his dedicated server,"he does not speak english very well" he has a unmanaged dedicated server he changed something on his ssh port and forgot what port is it, he can still access his WHM right now, meaning he know's the root password "correct" but the problem is he forgot his ssh port
View 14 Replies View Relatedwhich is the best solution to recover my server data if its accidentally crashed and formated?
View 4 Replies View RelatedI had an issue with limestonenetworks over the last 24 hours. My 2 servers went down for 12 hours but when it came back up the separate mysql server would not load?? Somehow the hard drive on that server failed during this upgrade and they cannot retrieve the databases on the server. A database containing over 60,000 members. Through my own undoing I didnt have a recent backup. A cpanel backup was backing up the same old file instead of the updated one.
I would have been happy if the site came back and at least the data was still there. Im just upset that this "network upgrade" has fried my database. From this I get the lesson "You get what you pay for". Im just keeping my fingers crossed that they will be kind enough to make a serious attempt to recover the data or at least let me send it to someone who can.
Does anyone have any suggestions on how to get retrieve data from a linux server hard-drive?
Here are the steps that have been taken so far:
Upon console of the server it was at DISK BOOT FAILURE prompt. We first did the basics and disconnected the server and made sure all connections to the hard disk and motherboard were secure. Upon reboot we checked to see if the BIOS detected the drive which it did. The server still reported disk boot failure. We then rebooted back into the BIOS to make sure the BIOS was set not skipping the hard drive in the boot process.
It was not.
The "recovery tools" we ran was just a basic linux live cd to see if we could get the hard drive detected inside of an operating system. It would not even detect the disk in the machine. We did not perform anything on the drive to cause it to fail. I spoke directly to my manager who was supervising the move and I was told that all servers were shut down cleanly as well as moved safely and securely.
The hard disk is still detected by the BIOS but the hard disk certainly has some internal issues as you can hear a constant buzzing and clicking during POST and after.
I had a server with XX datacenter. They've formatted my server and I MUST recover files immediately..
Server is running centOS 5.x and it has been formatted + rebooted 2-3 times.
How can I rescue files now?
I vaguley remembering changing a password to one of my domains that I hardly ever use, and as a result, I'm locked out of it both via ftp and cpanel (i can still get to it via whm logged in as root)
is there any way to recover the password? I have full access to the box.
I bought domain name and web hosting from a company. Now the problem is that the company from which I booked domain and hosting doesn't exist.
Initially the hosting company sent me only FTP and mail server details. Now I need the cPanel details to configure database. So kindly request all of you to suggest me some solutions through which I can get the cPanel details.
my freebsd server suffered power outage and now at boot it shows
BIOS installed successfully!
strike F1 to continue, strike F2 to go to setup utility.
FreeBSD installed
Default 0,a (o.a)boot loaded
Boot:
But that is it, it does not respond to ping or ssh?
Database Recover from Backups costs $30 from aspnix.com.
Is that price fair for that service?
I have a crashed HD that I want to recover the data. I wonder if there is any method or software out there that can do this for me.
The hard drive is installed with centos and uses ext3 filesystem.
I have tried doing a mount, not if it is done correctly, but I only see "lost+found" on the hard drive.
Usually when this happens on my hard drive w/ windows, I use some data recovery software to extract the data. I don't know which software will do this for me on an ext3 filesystem running centos.
I'm trying to recover a subdirectory from a full cpanel backup (tar file).
I placed the backup on the /home/<userdir>/
Then I listed the content of the tar file and the directory is in there:
backup-3.1.2006_11-36-43_userlin2/homedir/public_html/php/viacache/
I need to restore /viacache to the original location
Code:
tar -xvf backup-3.1.2006_11-36-43_userlin2.tar /public_html/php/viacache
response:
tar: /public_html/php/viacache: Not found in archive
also (absolute path)
Code:
tar -xvf backup-3.1.2006_11-36-43_userlin2.tar /home/userlin2/public_html/php/viacache
Not found in archive....
I am putting this thread to take other people advise and to advise them about my bad experience with rsync. Lucky, I was able to get my data back through the old drive
Three times a day, I take mysqldump and then rsync that mysql dump to a drive located in a different state.
Everything was working fine..The rsync was transferring data daily and updating the backup on other server. Few days ago, there was a hard drive failure on my server and then i checked in my backup drive for mysql dump...It was 764 bytes instead of 5 Gb...
Then i went to my other server where I rsync, to my surprise that was also 764 bytes from 5 Gb as it synced the both database..
My backup strategy failed and would be in tears if I couldn't grap data from failed drive
I would like to hear everyone views on this and learn from it
I just recently had a hard drive failure that produced the following error
root@re:/# mount /dev/hda3 /mnt
mount: wrong fs type, bad option, bad superblock on /dev/hda3,
missing codepage or other error
In some cases useful info is found in syslog - try
dmesg | tail or so
ide: failed opcode was: unknown
end_request: I/O error, dev hda, sector 4410069
Buffer I/O error on device hda3, logical block 8259
hda: drive_cmd: status=0x51 { DriveReady SeekComplete Error }
hda: drive_cmd: error=0x04 { DriveStatusError }
ide: failed opcode was: 0xb0
The host is going to mount this HD on the same machine after adding a new hard drive and fresh install... Does anyone have any recommendations for how I can go about recovering data? Specifically mysql databases?
My server hard disk is crashed badly. The rescue function in the server cannot take part and so I've tried using some recovery software to get back my data.
I've tried using Easy Recovery Professional. It sort all the files by it file type into different folder. I found a folder named .DB, there are also some .ado and . ldb folder too. I guess one of it is my database. The problem now is, i dunno how to read the file.
Do you have any idea to read it? I've tried many recovery system. eg. DiskInternals Linux Recovery, Disk Doctor Linux Recovery.
it is a linux server
Webmail using, in the "Inbox" I chose all the mail and accidentally pressed the "clear folder" letters deleted or i am can be restored? I need to return the letter....
View 3 Replies View RelatedAs I have never used cPanel neither have whatsoever experience with control panels, in the process of ordering a couple of new server I am wondering what's the average recovery time after a server failure which involves data (ie. disk failure).
I am interested to understand this, because I need to choose between hardware raid or backup disk.
For example, at LiquidWeb (this is just one of the many managed providers i am evaluating) you can pay the same server 264$ with 2x250 hardware raid 1, and 219$ with 2x250 simple hard drives, where the second one is supposed to be a backup drive.
I am yet to ask, but on this servers most likely (at this prices) they do not have hot swappable disk drives where they can rebuild the array "live", so also if i choose raid hardware, in case of a disk failure, i face a downtime to bring down the server, rebuild the array, bring on the server, which I guess is something not less than 30-60 minutes downtime.
The advantage of this solution is that a disk failure keeps the system running, so you can schedule a maintenance window to replace the disk and rebuild the array, I guess.
On the other side, relying on a backup disk (and of course rsyncing data to an offsite server, i would do this anyway) you save 45$ each month, and disks after all do not fail every month.
If the main disk fails, they need to replace the disk, install again the server with what I suppose being a standard image (so let's figure a couple of hours, as they have a 30min hardware replacement sla), then you need to restore backups (which in my case are something like 20gigs). So I guess, on an average, it would take something like 4 hours downtime.
Am I correct ?
What would you reccomend as a solution with cpanel, taking into account the huge price difference ? Backup drive or Hardware raid ?
This would be for a single big website, not a hosting-company with resellers and customers environment, so I would value more the monthly saving, rather than the high availability, but of course I am interested to know what is the average time to recover a cpanel server after a drive failure.
Besides I have also another question, as I have never had a colocated server with raid hardware, so i do not know anything about this.
When a drive fails in a raid1 hardware environment, how the hosting provider gets notified ? I suppose it's not a led on the server to blink, as no one would see it.
So if you have software raid (like my computer at home) you get an email from mdadm with "warning, array degraded", so you know it quick and you can check it anytime doing a ' cat /proc/mdstat '. What about hardware raid?
My fear is that nobody notices my raid1 drive failure, the server keeps going on just a drive, then maybe the other drive fails, and it would be unpleasant: while a single drive failure would be obviously very easy to spot for me.
Windows Application 2003 crashed on RAID 5 server, we tried to take the NTFS files from the hardrive and mount them on a knobix which was booted from a cdrom drive. Knopix could read the files but it was unable to mount them I guess for compatiblity reasons.
Is there anyway we can get a backup of that ntfs file and restore our data?
We are running cpanel on one of our servers. Several cron jobs were deleted from the cron panel of one acct. I have no idea of the paths to re-enter these jobs. Is their a log file on the server that will show cron job history from previous runs so I can recover the proper paths?
View 4 Replies View Related