WinHac Posted March 9, 2017 Share Posted March 9, 2017 Some of my shared windows folders on unraid were deleted and the majority of my server is now free space. What commands or utilities can I run to retrieve my data? I changed my root password on unraid what else can i do to prevent this. Im missing TB's of data what can i do if anything to recover it? Quote Link to comment
ljm42 Posted March 9, 2017 Share Posted March 9, 2017 Check out the "Need help? Read me first" thread in this board for help uploading your diagnostics. Quote Link to comment
ashman70 Posted March 9, 2017 Share Posted March 9, 2017 First of all do you have your server exposed to the internet? Secondly, what makes you think you were hacked? Did you have a strong root password? Is there nothing in the logs to indicate what happened? Quote Link to comment
WinHac Posted March 9, 2017 Author Share Posted March 9, 2017 (edited) I came home and my server was stopped, one of my shares was completely missing and I have 90% of my array free. I checked all the drives in the array they all are missing the same share over 9 disks. Running this utility http://www.raisedr.com/ on the drive now to scan for anything recoverable. Edited March 9, 2017 by WinHac Quote Link to comment
WinHac Posted March 9, 2017 Author Share Posted March 9, 2017 8 minutes ago, ashman70 said: First of all do you have your server exposed to the internet? Secondly, what makes you think you were hacked? Did you have a strong root password? Is there nothing in the logs to indicate what happened? How would I ensure it isn't exposed to the internet? Quote Link to comment
Frank1940 Posted March 9, 2017 Share Posted March 9, 2017 Google for "Shields up" which will scan your Internet connection for open ports. Read the material that is presented about what the results are telling you. Gibson Research has been around since the days when I was using a dial-up modem. Then scan your Windows computer(s) for any viruses or malware. Here is link to an good article on some excellent tools that Microsoft has developed to help ferret out nasty software: http://www.infoworld.com/article/2883958/antimalware/how-to-detect-malware-infection-in-9-easy-steps.html Quote Link to comment
Frank1940 Posted March 10, 2017 Share Posted March 10, 2017 (edited) One more point. If you have a wireless router, does it have a secure password (preferably one that is twelve or more characters in length containing letters--Caps and Small--, numbers and symbols and contains no recognizable words that are in any dictionary of any major language)? I have a friend who has told me that breaking into a wireless router is usually one of the easiest cracks to accomplish! So make the job as difficult as possible by making your router password extremely difficult to break by brute force. Remember unless you have secured your shares with permission and passwords to restrict who has write-access to your server, anyone on your network could have deleted that share in a few seconds! Edited March 10, 2017 by Frank1940 Quote Link to comment
ashman70 Posted March 10, 2017 Share Posted March 10, 2017 By default unRAID is not exposed to the internet so with that being the case I find it hard to understand how you might of been hacked, but of course we will need more information. Quote Link to comment
WinHac Posted March 10, 2017 Author Share Posted March 10, 2017 Not sure what error would delete a directory off all 10 HD's in the Array. Im open to other theories. hal-diagnostics-20170309-1847.zip Quote Link to comment
ashman70 Posted March 10, 2017 Share Posted March 10, 2017 Can you describe your network? What kind of router do you have? How many computers are on the network? How are they connected? WIred or wirelessly? What brand is your router? Did anyone else know your root password? Did you share it with anyone? Quote Link to comment
WinHac Posted March 10, 2017 Author Share Posted March 10, 2017 3 computer 2 pc 1 mac plus the server. Router is a Asus. I might of used that password for the server for other internet services. Could of been compromised. Quote Link to comment
WinHac Posted March 10, 2017 Author Share Posted March 10, 2017 (edited) I don't think Wifi was compromised. I use Unifi controller has good reporting all my devices are labeled in it no unknown devices in last 24 hours. Edited March 10, 2017 by WinHac Quote Link to comment
trurl Posted March 10, 2017 Share Posted March 10, 2017 Have you rebooted your server since this happened? Don't until you post diagnostics. Or if you have post diagnostics anyway. I think the most likely explanation is user error. Do you have any good evidence it was otherwise? Quote Link to comment
WinHac Posted March 10, 2017 Author Share Posted March 10, 2017 Yes i have rebooted. Didnt realize it would clear the log. Quote Link to comment
trurl Posted March 10, 2017 Share Posted March 10, 2017 4 minutes ago, trurl said: Or if you have post diagnostics anyway. Quote Link to comment
SSD Posted March 10, 2017 Share Posted March 10, 2017 It would not be difficult to delete the user share folder and this is exactly what would happen. I do think, if there have been no updates to the disks, it may be possible to undelete some of the files. I am not sure how well undelete works with XFS (assuming that is your FS). Does not sound like a hack to me. Quote Link to comment
WinHac Posted March 10, 2017 Author Share Posted March 10, 2017 (edited) Looks like it will recover easily got one drive back so far with names and directory structure intact. Will be a long process. Edited March 10, 2017 by WinHac Quote Link to comment
garycase Posted March 10, 2017 Share Posted March 10, 2017 9 hours ago, WinHac said: Not sure what error would delete a directory off all 10 HD's in the Array. I think what happened, as bjp999 also surmised, is that you somehow deleted a share -- which will delete all of the folders associated with that share. This easily explains what happened. 1 hour ago, WinHac said: Looks like it will recover easily got one drive back so far with names and directory structure intact. Sounds like the file system check was able to recover the deleted files okay on one disk -- this is good news. You simply need to methodically repeat this for all of the other disks --- and when done your share will be intact ... hopefully with no (or at least minimal) lost data. It would be best to NOT use the array during this process -- at least not for anything that will write to the disks, as any writes will reduce the likelihood of successful recovery. I assume from your comments that you don't have backups of your data ... if so, this clearly would have been much easier (just copy the data from the backups). Might be a good time to consider a backup strategy Quote Link to comment
WinHac Posted March 10, 2017 Author Share Posted March 10, 2017 (edited) Ya right now im puting one drive from the array at a time on my pc running the recovery to a USB drive putting the original disk back in the array and moving the recovered data over to it. Then starting the process again. That would be the best way to do it right? I'd love to have a backup but its cost prohibitive to backup 30TB for me so I have to settle for backing up only the most important. Edited March 10, 2017 by WinHac Quote Link to comment
WinHac Posted March 12, 2017 Author Share Posted March 12, 2017 Can I just re add the missing shared folder to all the drives again and put the files back in each one then create the share again in unraid or will that delete the contents? Quote Link to comment
trurl Posted March 12, 2017 Share Posted March 12, 2017 9 minutes ago, WinHac said: Can I just re add the missing shared folder to all the drives again and put the files back in each one then create the share again in unraid or will that delete the contents? Does the share not exist anymore? The share is the top level folder, so if you have the folder on any drive you should still have the share. If not, I would suggest creating the share first and getting it set like you want then add the folder to each disk as needed. Quote Link to comment
WinHac Posted March 12, 2017 Author Share Posted March 12, 2017 The share was gone from the config. I created it just on the disk im restoring and excluded all other disks and spun them down now copying files to the resotred disk share and will include more disks to the share for each disk restore. Sound like the right way to go? Quote Link to comment
trurl Posted March 12, 2017 Share Posted March 12, 2017 Just now, WinHac said: The share was gone from the config. I created it just on the disk im restoring and excluded all other disks and spun them down now copying files to the resotred disk share and will include more disks to the share for each disk restore. Sound like the right way to go? Are you copying to the disks or to the share? If to the disks, then it doesn't matter about the share settings. If to the share, then the share settings will determine where each file ends up, but including more drives as you go won't necessarily make the files go to the newly included disks. You would have to only include a specific disk if you wanted to insure it would only go to that disk. I would just set the share like you want it to work in the end. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.