| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 04 May 2009 15:11:28 +0200 From: "Marcel Partap" <mpartap@....net> To: linux-ext4@...r.kernel.org Subject: fsck ate my ext4 home partition, help!? Dear fs hackers, some days ago, out of a sudden i was missing some two hundred pics from my digicam, so when i rebooted my comp (which, mysteriously enough, had hung up to the point where even SYSRQ+B would not work) yesterday and X was just starting (i.e. the home partition was already mounted) i decided to stop xdm service and unmount the filesystem to run a quick check over it. Unmounting went successful, however fsck complained about /dev/sdd4 still being mounted. After confirming (lsof, mtab, empty mount point) that that was not actually the case, i ran fsck -p -v /dev/sdd4 and continued (beyond the fake still-mounted warning).. whereas the previous run of e2fsck with the -n was showing a bunch of stuff to fix, it now instantly bailed out complaining about broken superblock and so on. After that, fsck -n still showed a bunch of (the same?) errors to fix, but remounting the filesystem (already with a bad hunch of course) revealed the havoc that was done: ls -laR showed abundant I/O errors, file names AND attributes consisting of umlauts and question marks, and df reported the size of the fs suddenly at 64 ZETTABYTE! Doom. Remounted ro, root directory looked kinda fine, some stuff was still accessible, but especially the home directory on there not even showed . and .. entries! Obviously this is quite bad, and after having dded the partition to a backup image, i am still unsure on how to approach a recovery of this situation. For sure the data is still there, but how to get at it? It's quite an old volume aswell so probably fragmented heavily... As i am in uni right now i don't have access to the complete screen buffer log but i can provide to anyone who has any idea how to fix this. If someone can actually help me to get it back in the state it was before invoking e2fsk, i'd be overly thankful and would show my appreciation through a 50$ paypal donation. Please, someone help me unscrew this mess *g For the record, i am running kernel 2.6.30 RC3 with gentoo's e2fsprogs-1.41.3.. and i have not rebooted the system since the incident so maybe some guerilla forensics can work on my 8GB of RAM? thx & regards, marcel.. -- Neu: GMX FreeDSL Komplettanschluss mit DSL 6.000 Flatrate + Telefonanschluss für nur 17,95 Euro/mtl.!* http://dslspecial.gmx.de/freedsl-surfflat/?ac=OM.AD.PD003K11308T4569a -- To unsubscribe from this list: send the line "unsubscribe linux-ext4" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists