« Back to all recent discussions

Restore RAID1 with an old disk (I've been hacked) - NAS320

garrygarry Posts: 9  Junior Member
edited December 2018 in Discussions
Hi all,

I've been hacked and all my data have been altered (encrypted). Naturally, both disks are now contains the altered data (RAID 1 setup).

Hopefully, I have an old HD that contains an old but valuable amount of lost data.

How can I restore my NAS with the data of this old HD as base for the data???

The risk is to put 2 disks and have the most recent data (but encrypted) to be copied into the old disk. How can I be sure to do the right thing?

I have a NSA320, firemware version V4.70(AFO.3).

Thanks in advance

#NAS_Dec_2018

Tagged:
«1

Comments

  • MijzelfMijzelf Posts: 622  Heroic Warrior Member
    That old disk once was a data disk for that 320? In that case you can pull both disks from the NAS, and put the old disk in. It should have a degraded array then.
  • garrygarry Posts: 9  Junior Member
    Yes, the old disk was in the very same NAS.

    Okay. So I start once with the old disk only, and when I have a degraded array, I just need to push one of the 2 others disks ? Right?

    Thanks mate!
  • MijzelfMijzelf Posts: 622  Heroic Warrior Member
    edited December 2018
    Theoretically yes. If the both 'new disks' do not contain any useful information anymore, you can wipe them first. Open the Telnet backdoor, login as root, and execute
    dd if=/dev/zero of=/dev/sda bs=1M count=16
    dd if=/dev/zero of=/dev/sdb bs=1M count=16
    This will overwrite the first 16MB of each disk, which includes partition tables. So after that the disks will be treated as 'new'. To prevent the NAS might sync the wrong way.

  • garrygarry Posts: 9  Junior Member
    "Theoretically yes" -> unfortunately not :-(.

    I put the old disk only, it was in degraded state. I'm then put the other and started the repair.... but it obviously started wrong. I stopped it when it was still showing 0.0% but the internal volume was deleted.

    When I now start with the old disk only, I've no volume... I think the partition table was deleted.

    Do I still have a chance to get my data back?
  • MijzelfMijzelf Posts: 622  Heroic Warrior Member
    edited December 2018
    Do I still have a chance to get my data back?
    Maybe. Can you open that telnet backdoor and post the output of
    cat /proc/partitions
    cat /proc/mdstat
    mdadm --examine /dev/sd[ab]2


  • garrygarry Posts: 9  Junior Member
    edited December 2018
    ~ $ cat /proc/partitions
    major minor  #blocks  name
       7        0     140288 loop0
      31        0       1024 mtdblock0
      31        1        512 mtdblock1
      31        2        512 mtdblock2
      31        3        512 mtdblock3
      31        4      10240 mtdblock4
      31        5      10240 mtdblock5
      31        6      48896 mtdblock6
      31        7      10240 mtdblock7
      31        8      48896 mtdblock8



    ~ $ cat /proc/mdstat
    Personalities : [linear] [raid0] [raid1]
    unused devices: <none>



    ~ # mdadm --examine /dev/sd[ab]2
    mdadm: cannot open /dev/sda2: No such device or address
    mdadm: cannot open /dev/sdb2: No such device or address
    ~ # mdadm --examine /dev/sd[ab]1
    mdadm: cannot open /dev/sda1: No such device or address
    mdadm: cannot open /dev/sdb1: No such device or address

  • MijzelfMijzelf Posts: 622  Heroic Warrior Member
    The disk was in? The kernel has not detected any disk, so if it was in, you have a hardware problem.
  • garrygarry Posts: 9  Junior Member
    I'll check and post the result soon
  • garrygarry Posts: 9  Junior Member
    edited December 2018
    Hi Mijzelf,

    Sorry for the delay. I was busy on these christmas days...

    So: I tried again with the NAS and same result ! I then tried to plug the HD on an Ubuntu linux and I got better results!

    [email protected]:~$ cat /proc/partitions
    major minor  #blocks  name

       7        0    2078720 loop0
       7        1    1860888 loop1
       7        2      89964 loop2
       7        3     144260 loop3
       7        4       2300 loop4
       7        5      13300 loop5
       7        6      14852 loop6
       7        7       3788 loop7
       8        0  244198584 sda
       8        1     102400 sda1
       8        2  101469549 sda2
       8        3     827392 sda3
       8        4  141796352 sda4
       8       16    7800832 sdb
       8       17    7800772 sdb1
       7        8      43148 loop8
       8       32 1953514584 sdc
       8       33     514048 sdc1
       8       34 1952997952 sdc2
       7        9      54964 loop9
       7       10     147028 loop10
    .
    [email protected]:~$ cat /proc/mdstat
    Personalities :
    md0 : inactive sdc2[2](S)
          1952997888 blocks
          
    unused devices: <none>
    .
    [email protected]:~$ sudo mdadm --examine /dev/sd[ab]2
    /dev/sda2:
    MBR Magic : aa55
    Partition[0] : 1836016416 sectors at 1936269394 (type 4f)
    Partition[1] : 544437093 sectors at 1917848077 (type 73)
    Partition[2] : 544175136 sectors at 1818575915 (type 2b)
    Partition[3] : 54974 sectors at 2844524554 (type 61)

  • MijzelfMijzelf Posts: 622  Heroic Warrior Member
    I tried again with the NAS and same result ! I then tried to plug the HD on an Ubuntu linux and I got better results!

    Strange. Does this disk needs more power than the encrypted disks do?

    Anyway, this looks better. On this system the disk is sdc, so to read the raid header the command should be

    mdadm --examine /dev/sdc2

    Personalities :
    md0 : inactive sdc2[2](S)

    Somehow  the disk is assigned an 'S' for spare. But there are no personalities (which are raid engines), and I don't know what is supposed to happen then.

    Does executing

    sumodprobe raid1
    Change anything significant in /proc/mdstat?
  • garrygarry Posts: 9  Junior Member
    Strange. Does this disk needs more power than the encrypted disks do?
    No, I don't think. One of the encrypted disk is exactly the same as this one. Before the wrong repair process, the disk was seen through the Zyxel interface.
    So now:
    [email protected]:/home/ubuntu# mdadm --examine /dev/sdc2
    /dev/sdc2:
              Magic : a92b4efc
            Version : 0.90.00
               UUID : 346361d3:cbfe4cbd:f4fc2a5c:e6a2d6d5
      Creation Time : Tue Oct 23 14:16:55 2012
         Raid Level : raid1
      Used Dev Size : 1952997888 (1862.52 GiB 1999.87 GB)
         Array Size : 1952997888 (1862.52 GiB 1999.87 GB)
       Raid Devices : 2
      Total Devices : 2
    Preferred Minor : 0

        Update Time : Tue Dec 18 15:51:00 2018
              State : clean
     Active Devices : 1
    Working Devices : 2
     Failed Devices : 1
      Spare Devices : 1
           Checksum : a665828a - correct
             Events : 1618289


          Number   Major   Minor   RaidDevice State
    this     2       8        2        2      spare   /dev/sda2

       0     0       8       18        0      active sync
       1     1       0        0        1      faulty removed
       2     2       8        2        2      spare   /dev/sda2
    As requested, I tried:
    [email protected]:/home/ubuntu# modprobe raid1
    [email protected]:/home/ubuntu# cat /proc/mdstat
    Personalities : [raid1]
    md0 : inactive sdc2[2](S)
          1952997888 blocks
          
    unused devices: <none>
    In my point of view, it's not absolutely necessary to remount the raid. Do you think just mounting the HD only is possible? I can then backup the important things.

    Thanks!




  • MijzelfMijzelf Posts: 622  Heroic Warrior Member
    Do you think just mounting the HD only is possible?

    Fortunately that should be quite easy. According to your header listing the array uses a version 0.9 superblock. That is at the end of the partition, so the physical start of the filesystem is also the physical start of the partition. In other words, the partition can simply be mounted.

    According to this bootlog an NSA320 uses (or at least used to use) ext3 as filesystem.

    So to mount it:

    mkdir /tmp/mountpoint
    mount -t ext3 /dev/sdc2 /tmp/mountpoint



  • garrygarry Posts: 9  Junior Member
    I tried but got the same result as explained here:

    Should I try the:
    mdadm --assemble --run /dev/md0 /dev/sdc1
    trick ?

    More info about the disk


  • MijzelfMijzelf Posts: 622  Heroic Warrior Member
    [quote]
    Should I try the:
    mdadm --assemble --run /dev/md0 /dev/sdc1
    trick ?
    [/quote]
    It won't hurt, although in your case it's
    mdadm --assemble --run /dev/md0 /dev/sdc2
    Another suggestion in that forum which is worth trying is
    [quote]
    If anyone still gets the mdadm: /dev/sdb1 is busy - skipping message you can stop the device on with mdadm --stop /dev/mdx or check the /proc/mdstat to check if the device was automatically mount by your system.
    [/quote]

  • garrygarry Posts: 9  Junior Member
    Great, I could finally mount it!
    Thank you very much Mijzelf  ;)
Sign In or Register to comment.