archlinux ext4 recovery file versioning

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

archlinux ext4 recovery file versioning

arch general mailing list-2
Hi, I have a server in archlinux with samba. I have windows client in my
house with mapped folder but a Trojan has entered and encrypted all files
included server archlinux...

Archlinux has formated with ext4.

Would it be possible to recover unencrypted files?
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: archlinux ext4 recovery file versioning

arch general mailing list-2
On 04/17/2017 09:31 PM, Maykel Franco via arch-general wrote:
> Hi, I have a server in archlinux with samba. I have windows client in my
> house with mapped folder but a Trojan has entered and encrypted all files
> included server archlinux...
>
> Archlinux has formated with ext4.
>
> Would it be possible to recover unencrypted files?
Maybe testdisk with photorec might help. Good luck...
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: archlinux ext4 recovery file versioning

arch general mailing list-2
El 17 abr. 2017 10:09 p. m., "Alex Theotokatos via arch-general" <
[hidden email]> escribió:

On 04/17/2017 09:31 PM, Maykel Franco via arch-general wrote:

> Hi, I have a server in archlinux with samba. I have windows client in my
> house with mapped folder but a Trojan has entered and encrypted all files
> included server archlinux...
>
> Archlinux has formated with ext4.
>
> Would it be possible to recover unencrypted files?
>
Maybe testdisk with photorec might help. Good luck...



With testisk os posible recovery original files without encrypt?
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: archlinux ext4 recovery file versioning

arch general mailing list-2
On 04/17/2017 11:12 PM, Maykel Franco via arch-general wrote:

> El 17 abr. 2017 10:09 p. m., "Alex Theotokatos via arch-general" <
> [hidden email]> escribió:
>
> On 04/17/2017 09:31 PM, Maykel Franco via arch-general wrote:
>
>> Hi, I have a server in archlinux with samba. I have windows client in my
>> house with mapped folder but a Trojan has entered and encrypted all files
>> included server archlinux...
>>
>> Archlinux has formated with ext4.
>>
>> Would it be possible to recover unencrypted files?
>>
> Maybe testdisk with photorec might help. Good luck...
>
>
>
> With testisk os posible recovery original files without encrypt?
It will not unlock the encrypted files, but photorec will swap all the
disk and can recover some files that 'theoretically' was deleted or tmp
files.
Maybe, during encryption the files moved on some parental folder and
then deleted. i think photorec might help here.
You can start with testdisk and see what is deleted and not.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: archlinux ext4 recovery file versioning

arch general mailing list-2
>On 04/17/2017 11:12 PM, Maykel Franco via arch-general wrote:
>> El 17 abr. 2017 10:09 p. m., "Alex Theotokatos via arch-general" <
>> [hidden email]> escribió:
>>
>> On 04/17/2017 09:31 PM, Maykel Franco via arch-general wrote:
>>
>>> Hi, I have a server in archlinux with samba. I have windows client in
>>> my house with mapped folder but a Trojan has entered and encrypted
>>> all files included server archlinux...
>>>
>>> Archlinux has formated with ext4.
>>>
>>> Would it be possible to recover unencrypted files?
>>>
>> Maybe testdisk with photorec might help. Good luck...
>>
>>
>>
>> With testisk os posible recovery original files without encrypt?
>It will not unlock the encrypted files, but photorec will swap all the disk and can recover some files that 'theoretically' was deleted or tmp files.
>Maybe, during encryption the files moved on some parental folder and then deleted. i think photorec might help here.
>You can start with testdisk and see what is deleted and not.

You can try this site
https://www.nomoreransom.org/

It might help you decrypt the files. File recovery most likely won't help. (Unless you can 'recover' from a cloud based backup!)
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: archlinux ext4 recovery file versioning

arch general mailing list-2
On Wed, Apr 19, 2017 at 10:20:53AM -0400, Kyle McNally via arch-general wrote:

> >On 04/17/2017 11:12 PM, Maykel Franco via arch-general wrote:
> >> El 17 abr. 2017 10:09 p. m., "Alex Theotokatos via arch-general" <
> >> [hidden email]> escribió:
> >>
> >> On 04/17/2017 09:31 PM, Maykel Franco via arch-general wrote:
> >>
> >>> Hi, I have a server in archlinux with samba. I have windows client in
> >>> my house with mapped folder but a Trojan has entered and encrypted
> >>> all files included server archlinux...
> >>>
> >>> Archlinux has formated with ext4.
> >>>
> >>> Would it be possible to recover unencrypted files?
> >>>
> >> Maybe testdisk with photorec might help. Good luck...
> >>
> >>
> >>
> >> With testisk os posible recovery original files without encrypt?
> >It will not unlock the encrypted files, but photorec will swap all the disk and can recover some files that 'theoretically' was deleted or tmp files.
> >Maybe, during encryption the files moved on some parental folder and then deleted. i think photorec might help here.
> >You can start with testdisk and see what is deleted and not.
>
> You can try this site
> https://www.nomoreransom.org/
>
> It might help you decrypt the files. File recovery most likely won't help. (Unless you can 'recover' from a cloud based backup!)
Hi,

Did the trojen infect the server? Were you able to isolate the
malicious executable?

--
Kind regards,

Kai-Chun

signature.asc (923 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: archlinux ext4 recovery file versioning

arch general mailing list-2
In reply to this post by arch general mailing list-2
Op 19 apr. 2017 16:21 schreef "Kyle McNally via arch-general" <
[hidden email]>:

>On 04/17/2017 11:12 PM, Maykel Franco via arch-general wrote:
>> El 17 abr. 2017 10:09 p. m., "Alex Theotokatos via arch-general" <
>> [hidden email]> escribió:
>>
>> On 04/17/2017 09:31 PM, Maykel Franco via arch-general wrote:
>>
>>> Hi, I have a server in archlinux with samba. I have windows client in
>>> my house with mapped folder but a Trojan has entered and encrypted
>>> all files included server archlinux...
[...]
>Maybe, during encryption the files moved on some parental folder and then
deleted. i think photorec might help here.
>You can start with testdisk and see what is deleted and not.

You can try this site
https://www.nomoreransom.org/

It might help you decrypt the files. File recovery most likely won't help.
(Unless you can 'recover' from a cloud based backup!)


Actually, filerecovery (lowlevel) works very nice with most
ransomware-infections. Especially since (in this case), the files were on
another pc.
There are some gotchas though, like used diskspace and time consumption.
If those are not an issue, or acceptable; i've had great results with
photorec on some sample machines.

Wrt backup: since the server itself wasn't involved, all local backups
should be fine. Unless those were on a writable share, of course.



Mvg, Guus Snijders
Loading...