Restore RAID1 with an old disk (I've been hacked) - NAS320
garry
Posts: 9 
Freshman Member
Freshman Member
Hi all,
I've been hacked and all my data have been altered (encrypted). Naturally, both disks are now contains the altered data (RAID 1 setup).
Hopefully, I have an old HD that contains an old but valuable amount of lost data.
How can I restore my NAS with the data of this old HD as base for the data???
The risk is to put 2 disks and have the most recent data (but encrypted) to be copied into the old disk. How can I be sure to do the right thing?
I have a NSA320, firemware version V4.70(AFO.3).
I've been hacked and all my data have been altered (encrypted). Naturally, both disks are now contains the altered data (RAID 1 setup).
Hopefully, I have an old HD that contains an old but valuable amount of lost data.
How can I restore my NAS with the data of this old HD as base for the data???
The risk is to put 2 disks and have the most recent data (but encrypted) to be copied into the old disk. How can I be sure to do the right thing?
I have a NSA320, firemware version V4.70(AFO.3).
Thanks in advance
#NAS_Dec_2018
0
Comments
-
That old disk once was a data disk for that 320? In that case you can pull both disks from the NAS, and put the old disk in. It should have a degraded array then.
0 -
Yes, the old disk was in the very same NAS.
Okay. So I start once with the old disk only, and when I have a degraded array, I just need to push one of the 2 others disks ? Right?
Thanks mate!0 -
Theoretically yes. If the both 'new disks' do not contain any useful information anymore, you can wipe them first. Open the Telnet backdoor, login as root, and execute
<div>dd if=/dev/zero of=/dev/sda bs=1M count=16</div><div><br></div><div><div>dd if=/dev/zero of=/dev/sdb bs=1M count=16</div><div></div></div>
This will overwrite the first 16MB of each disk, which includes partition tables. So after that the disks will be treated as 'new'. To prevent the NAS might sync the wrong way.
0 -
"Theoretically yes" -> unfortunately not :-(.
I put the old disk only, it was in degraded state. I'm then put the other and started the repair.... but it obviously started wrong. I stopped it when it was still showing 0.0% but the internal volume was deleted.
When I now start with the old disk only, I've no volume... I think the partition table was deleted.
Do I still have a chance to get my data back?0 -
Do I still have a chance to get my data back?Maybe. Can you open that telnet backdoor and post the output of
<div>cat /proc/partitions</div><div><br></div><div>cat /proc/mdstat</div><div><br></div><div>mdadm --examine /dev/sd[ab]2</div><div></div>
0 -
~ $ cat /proc/partitionsmajor minor #blocks name7 0 140288 loop031 0 1024 mtdblock031 1 512 mtdblock131 2 512 mtdblock231 3 512 mtdblock331 4 10240 mtdblock431 5 10240 mtdblock531 6 48896 mtdblock631 7 10240 mtdblock731 8 48896 mtdblock8~ $ cat /proc/mdstatPersonalities : [linear] [raid0] [raid1]unused devices: <none>~ # mdadm --examine /dev/sd[ab]2mdadm: cannot open /dev/sda2: No such device or addressmdadm: cannot open /dev/sdb2: No such device or address~ # mdadm --examine /dev/sd[ab]1mdadm: cannot open /dev/sda1: No such device or addressmdadm: cannot open /dev/sdb1: No such device or address0
-
The disk was in? The kernel has not detected any disk, so if it was in, you have a hardware problem.
0 -
I'll check and post the result soon0
-
Hi Mijzelf,Sorry for the delay. I was busy on these christmas days...So: I tried again with the NAS and same result ! I then tried to plug the HD on an Ubuntu linux and I got better results!
ubuntu@ubuntu:~$ cat /proc/partitions<br>major minor #blocks name<br><br> 7 0 2078720 loop0<br> 7 1 1860888 loop1<br> 7 2 89964 loop2<br> 7 3 144260 loop3<br> 7 4 2300 loop4<br> 7 5 13300 loop5<br> 7 6 14852 loop6<br> 7 7 3788 loop7<br> 8 0 244198584 sda<br> 8 1 102400 sda1<br> 8 2 101469549 sda2<br> 8 3 827392 sda3<br> 8 4 141796352 sda4<br> 8 16 7800832 sdb<br> 8 17 7800772 sdb1<br> 7 8 43148 loop8<br> 8 32 1953514584 sdc<br> 8 33 514048 sdc1<br> 8 34 1952997952 sdc2<br> 7 9 54964 loop9<br> 7 10 147028 loop10
.</code>ubuntu@ubuntu:~$ cat /proc/mdstat<br>Personalities : <br>md0 : inactive sdc2[2](S)<br> 1952997888 blocks<br> <br>unused devices: <none></pre>.</div><div><pre class="CodeBlock"><code>ubuntu@ubuntu:~$ sudo mdadm --examine /dev/sd[ab]2<br>/dev/sda2:<br> MBR Magic : aa55<br>Partition[0] : 1836016416 sectors at 1936269394 (type 4f)<br>Partition[1] : 544437093 sectors at 1917848077 (type 73)<br>Partition[2] : 544175136 sectors at 1818575915 (type 2b)<br>Partition[3] : 54974 sectors at 2844524554 (type 61)<br><br>
0 -
I tried again with the NAS and same result ! I then tried to plug the HD on an Ubuntu linux and I got better results!
Strange. Does this disk needs more power than the encrypted disks do?
Anyway, this looks better. On this system the disk is sdc, so to read the raid header the command should be
mdadm --examine /dev/sdc2<br><br>
Personalities :
md0 : inactive sdc2[2](S)Somehow the disk is assigned an 'S' for spare. But there are no personalities (which are raid engines), and I don't know what is supposed to happen then.
Does executing
<p>su</p><p>modprobe raid1<br></p>
Change anything significant in /proc/mdstat?
0
Guru Member
Categories
- All Categories
- 415 Beta Program
- 2.5K Nebula
- 152 Nebula Ideas
- 101 Nebula Status and Incidents
- 5.8K Security
- 296 USG FLEX H Series
- 281 Security Ideas
- 1.5K Switch
- 77 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.5K Consumer Product
- 254 Service & License
- 396 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 87 About Community
- 76 Security Highlight
