We were hacked and they compromised a bunch of servers and workstations. If the server had a secondary drive, the drive is now 100% empty. 0 bytes used. We can't figure out what they did to the partition table/mft. Can you please look .
Sat Sep 30 22:18:45 2017
Command line: TestDisk
TestDisk 7.1-WIP, Data Recovery Utility, July 2017
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
OS: Windows Server 2008 R2 (7601) SP1
Compiler: GCC 5.4, Cygwin 2005.2
ext2fs lib: 1.43.1, ntfs lib: 10:0:0, reiserfs lib: none, ewf lib: 20140608, curses lib: ncurses 6.0
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(/dev/sda)=107373133824
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(/dev/sdb)=42946527232
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\PhysicalDrive0)=107373133824
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\PhysicalDrive1)=42946527232
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\C:)=107267227648
filewin32_getfilesize(\\.\D:) GetFileSize err Incorrect function.
filewin32_setfilepointer(\\.\D:) SetFilePointer err Incorrect function.
Warning: can't get size for \\.\D:
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\E:)=42946527232
Hard disk list
Disk /dev/sda - 107 GB / 99 GiB - CHS 13054 255 63, sector size=512 - VMware Virtual IDE Hard Drive, S/N:3030303030303030303030303030303030303130, FW:00000001
Disk /dev/sdb - 42 GB / 39 GiB - CHS 5221 255 63, sector size=512 - VMware Virtual IDE Hard Drive, S/N:3130303030303030303030303030303030303130, FW:00000001
Partition table type (auto): None
Disk /dev/sdb - 42 GB / 39 GiB - VMware Virtual IDE Hard Drive
Partition table type: Intel
Analyse Disk /dev/sdb - 42 GB / 39 GiB - CHS 5221 255 63
Geometry from i386 MBR: head=115 sector=52
BAD_RS LBA=1936269394 5382406
file_pread(5,1,buffer,1936269394(120527/49/53)) lseek err Invalid argument
check_part_i386 failed for partition type 07
BAD_RS LBA=1917848077 5967333
check_part_i386 2 type 73: no test
BAD_RS LBA=1818575915 5855017
check_part_i386 3 type 2B: no test
BAD_RS LBA=2844524554 5982593
check_part_i386 4 type 61: no test
Current partition structure:
Invalid NTFS or exFAT boot
1 * HPFS - NTFS 120527 49 53 234813 237 34 1836016416
1 * HPFS - NTFS 120527 49 53 234813 237 34 1836016416
Bad relative sector.
2 * Sys=73 119380 132 62 153270 41 37 544437093
Bad relative sector.
3 * Sys=2B 113201 29 24 147074 114 59 544175136
Bad relative sector.
4 * SpeedStor 177063 118 26 177066 225 63 54974
Bad relative sector.
Only one partition must be bootable
Space conflict between the following two partitions
3 * Sys=2B 113201 29 24 147074 114 59 544175136
2 * Sys=73 119380 132 62 153270 41 37 544437093
Space conflict between the following two partitions
2 * Sys=73 119380 132 62 153270 41 37 544437093
1 * HPFS - NTFS 120527 49 53 234813 237 34 1836016416
Space conflict between the following two partitions
1 * HPFS - NTFS 120527 49 53 234813 237 34 1836016416
4 * SpeedStor 177063 118 26 177066 225 63 54974
search_part()
Disk /dev/sdb - 42 GB / 39 GiB - CHS 5221 255 63
file_pread(5,2,buffer,83879935(5221/72/35)) ReadFile The drive cannot find the sector requested.
file_pread(5,1,buffer,83879936(5221/72/36)) ReadFile The drive cannot find the sector requested.
file_pread(5,1,buffer,83879937(5221/72/37)) lseek err Invalid argument
file_pread(5,14,buffer,83879938(5221/72/38)) lseek err Invalid argument
file_pread(5,3,buffer,83879952(5221/72/52)) lseek err Invalid argument
file_pread(5,3,buffer,83879999(5221/73/36)) lseek err Invalid argument
file_pread(5,8,buffer,83880015(5221/73/52)) lseek err Invalid argument
file_pread(5,11,buffer,83880062(5221/74/36)) lseek err Invalid argument
file_pread(5,2,buffer,83881984(5221/105/5)) lseek err Invalid argument
Results
interface_write()
No partition found or selected for recovery
simulate write!
write_mbr_i386: starting...
write_all_log_i386: starting...
No extended partition
Analyse Disk /dev/sdb - 42 GB / 39 GiB - CHS 5221 255 63
Geometry from i386 MBR: head=115 sector=52
BAD_RS LBA=1936269394 5382406
file_pread(5,1,buffer,1936269394(120527/49/53)) lseek err Invalid argument
check_part_i386 failed for partition type 07
BAD_RS LBA=1917848077 5967333
check_part_i386 2 type 73: no test
BAD_RS LBA=1818575915 5855017
check_part_i386 3 type 2B: no test
BAD_RS LBA=2844524554 5982593
check_part_i386 4 type 61: no test
Current partition structure:
Invalid NTFS or exFAT boot
1 * HPFS - NTFS 120527 49 53 234813 237 34 1836016416
1 * HPFS - NTFS 120527 49 53 234813 237 34 1836016416
Bad relative sector.
2 * Sys=73 119380 132 62 153270 41 37 544437093
Bad relative sector.
3 * Sys=2B 113201 29 24 147074 114 59 544175136
Bad relative sector.
4 * SpeedStor 177063 118 26 177066 225 63 54974
Bad relative sector.
Only one partition must be bootable
Space conflict between the following two partitions
3 * Sys=2B 113201 29 24 147074 114 59 544175136
2 * Sys=73 119380 132 62 153270 41 37 544437093
Space conflict between the following two partitions
2 * Sys=73 119380 132 62 153270 41 37 544437093
1 * HPFS - NTFS 120527 49 53 234813 237 34 1836016416
Space conflict between the following two partitions
1 * HPFS - NTFS 120527 49 53 234813 237 34 1836016416
4 * SpeedStor 177063 118 26 177066 225 63 54974
search_part()
Disk /dev/sdb - 42 GB / 39 GiB - CHS 5221 255 63
file_pread(5,2,buffer,83879935(5221/72/35)) ReadFile The drive cannot find the sector requested.
file_pread(5,1,buffer,83879936(5221/72/36)) ReadFile The drive cannot find the sector requested.
file_pread(5,1,buffer,83879937(5221/72/37)) lseek err Invalid argument
file_pread(5,14,buffer,83879938(5221/72/38)) lseek err Invalid argument
file_pread(5,3,buffer,83879952(5221/72/52)) lseek err Invalid argument
file_pread(5,3,buffer,83879999(5221/73/36)) lseek err Invalid argument
file_pread(5,8,buffer,83880015(5221/73/52)) lseek err Invalid argument
file_pread(5,11,buffer,83880062(5221/74/36)) lseek err Invalid argument
file_pread(5,2,buffer,83881984(5221/105/5)) lseek err Invalid argument
Results
interface_write()
No partition found or selected for recovery
simulate write!
write_mbr_i386: starting...
write_all_log_i386: starting...
No extended partition
Analyse Disk /dev/sdb - 42 GB / 39 GiB - CHS 5221 255 63
Geometry from i386 MBR: head=115 sector=52
BAD_RS LBA=1936269394 5382406
file_pread(5,1,buffer,1936269394(120527/49/53)) lseek err Invalid argument
check_part_i386 failed for partition type 07
BAD_RS LBA=1917848077 5967333
check_part_i386 2 type 73: no test
BAD_RS LBA=1818575915 5855017
check_part_i386 3 type 2B: no test
BAD_RS LBA=2844524554 5982593
check_part_i386 4 type 61: no test
Current partition structure:
Invalid NTFS or exFAT boot
1 * HPFS - NTFS 120527 49 53 234813 237 34 1836016416
1 * HPFS - NTFS 120527 49 53 234813 237 34 1836016416
Bad relative sector.
2 * Sys=73 119380 132 62 153270 41 37 544437093
Bad relative sector.
3 * Sys=2B 113201 29 24 147074 114 59 544175136
Bad relative sector.
4 * SpeedStor 177063 118 26 177066 225 63 54974
Bad relative sector.
Only one partition must be bootable
Space conflict between the following two partitions
3 * Sys=2B 113201 29 24 147074 114 59 544175136
2 * Sys=73 119380 132 62 153270 41 37 544437093
Space conflict between the following two partitions
2 * Sys=73 119380 132 62 153270 41 37 544437093
1 * HPFS - NTFS 120527 49 53 234813 237 34 1836016416
Space conflict between the following two partitions
1 * HPFS - NTFS 120527 49 53 234813 237 34 1836016416
4 * SpeedStor 177063 118 26 177066 225 63 54974
search_part()
Disk /dev/sdb - 42 GB / 39 GiB - CHS 5221 255 63
file_pread(5,2,buffer,83879935(5221/72/35)) ReadFile The drive cannot find the sector requested.
file_pread(5,1,buffer,83879936(5221/72/36)) ReadFile The drive cannot find the sector requested.
file_pread(5,1,buffer,83879937(5221/72/37)) lseek err Invalid argument
file_pread(5,14,buffer,83879938(5221/72/38)) lseek err Invalid argument
file_pread(5,3,buffer,83879952(5221/72/52)) lseek err Invalid argument
file_pread(5,3,buffer,83879999(5221/73/36)) lseek err Invalid argument
file_pread(5,8,buffer,83880015(5221/73/52)) lseek err Invalid argument
file_pread(5,11,buffer,83880062(5221/74/36)) lseek err Invalid argument
file_pread(5,2,buffer,83881984(5221/105/5)) lseek err Invalid argument
Results
interface_write()
No partition found or selected for recovery
simulate write!
write_mbr_i386: starting...
write_all_log_i386: starting...
No extended partition
Analyse Disk /dev/sdb - 42 GB / 39 GiB - CHS 5221 255 63
Geometry from i386 MBR: head=115 sector=52
BAD_RS LBA=1936269394 5382406
file_pread(5,1,buffer,1936269394(120527/49/53)) lseek err Invalid argument
check_part_i386 failed for partition type 07
BAD_RS LBA=1917848077 5967333
check_part_i386 2 type 73: no test
BAD_RS LBA=1818575915 5855017
check_part_i386 3 type 2B: no test
BAD_RS LBA=2844524554 5982593
check_part_i386 4 type 61: no test
Current partition structure:
Invalid NTFS or exFAT boot
1 * HPFS - NTFS 120527 49 53 234813 237 34 1836016416
1 * HPFS - NTFS 120527 49 53 234813 237 34 1836016416
Bad relative sector.
2 * Sys=73 119380 132 62 153270 41 37 544437093
Bad relative sector.
3 * Sys=2B 113201 29 24 147074 114 59 544175136
Bad relative sector.
4 * SpeedStor 177063 118 26 177066 225 63 54974
Bad relative sector.
Only one partition must be bootable
Space conflict between the following two partitions
3 * Sys=2B 113201 29 24 147074 114 59 544175136
2 * Sys=73 119380 132 62 153270 41 37 544437093
Space conflict between the following two partitions
2 * Sys=73 119380 132 62 153270 41 37 544437093
1 * HPFS - NTFS 120527 49 53 234813 237 34 1836016416
Space conflict between the following two partitions
1 * HPFS - NTFS 120527 49 53 234813 237 34 1836016416
4 * SpeedStor 177063 118 26 177066 225 63 54974
search_part()
Disk /dev/sdb - 42 GB / 39 GiB - CHS 5221 255 63
file_pread(5,2,buffer,83879935(5221/72/35)) ReadFile The drive cannot find the sector requested.
file_pread(5,1,buffer,83879936(5221/72/36)) ReadFile The drive cannot find the sector requested.
Search for partition aborted
Results
interface_write()
No partition found or selected for recovery
simulate write!
write_mbr_i386: starting...
write_all_log_i386: starting...
No extended partition
Analyse Disk /dev/sdb - 42 GB / 39 GiB - CHS 5221 255 63
Geometry from i386 MBR: head=115 sector=52
BAD_RS LBA=1936269394 5382406
file_pread(5,1,buffer,1936269394(120527/49/53)) lseek err Invalid argument
check_part_i386 failed for partition type 07
BAD_RS LBA=1917848077 5967333
check_part_i386 2 type 73: no test
BAD_RS LBA=1818575915 5855017
check_part_i386 3 type 2B: no test
BAD_RS LBA=2844524554 5982593
check_part_i386 4 type 61: no test
Current partition structure:
Invalid NTFS or exFAT boot
1 * HPFS - NTFS 120527 49 53 234813 237 34 1836016416
1 * HPFS - NTFS 120527 49 53 234813 237 34 1836016416
Bad relative sector.
2 * Sys=73 119380 132 62 153270 41 37 544437093
Bad relative sector.
3 * Sys=2B 113201 29 24 147074 114 59 544175136
Bad relative sector.
4 * SpeedStor 177063 118 26 177066 225 63 54974
Bad relative sector.
Only one partition must be bootable
Space conflict between the following two partitions
3 * Sys=2B 113201 29 24 147074 114 59 544175136
2 * Sys=73 119380 132 62 153270 41 37 544437093
Space conflict between the following two partitions
2 * Sys=73 119380 132 62 153270 41 37 544437093
1 * HPFS - NTFS 120527 49 53 234813 237 34 1836016416
Space conflict between the following two partitions
1 * HPFS - NTFS 120527 49 53 234813 237 34 1836016416
4 * SpeedStor 177063 118 26 177066 225 63 54974
We were hacked. All partitions gone
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
- cgrenier
- Site Admin
- Posts: 5432
- Joined: 18 Feb 2012, 15:08
- Location: Le Perreux Sur Marne, France
- Contact:
Re: We were hacked. All partitions gone
Looks like the partition table and both NTFS boot sector and its backup have been overwritten/encrypted.
Run TestDisk, in the Advanced menu, use 'a' to manually add a partition starting at "0 32 33". Set the partition type to NTFS.
Choose Boot, RebuildBS, List. Do you see your files ?
If you run PhotoRec on whole disk, does it recover some files or only junk/random data ?
Run TestDisk, in the Advanced menu, use 'a' to manually add a partition starting at "0 32 33". Set the partition type to NTFS.
Choose Boot, RebuildBS, List. Do you see your files ?
If you run PhotoRec on whole disk, does it recover some files or only junk/random data ?
Re: We were hacked. All partitions gone
Hi!
Thank you for the reply. When I hit A for ADD there is
Cylinder, Head, Sector, etc. Is that what I say 0323
I'm not following.
Thank you for the reply. When I hit A for ADD there is
Cylinder, Head, Sector, etc. Is that what I say 0323
I'm not following.
Re: We were hacked. All partitions gone
It asks for:
Cylinder
Head
Sector
Cylinder
Head Sector
Type
Cylinder
Head
Sector
Cylinder
Head Sector
Type
- cgrenier
- Site Admin
- Posts: 5432
- Joined: 18 Feb 2012, 15:08
- Location: Le Perreux Sur Marne, France
- Contact:
Re: We were hacked. All partitions gone
Set the starting cylinder to 0, head to 32 and sector to 33.
No need to modify the end location.
No need to modify the end location.
Re: We were hacked. All partitions gone
Ok. I set the type to 07. It's scanning for MFT. How did you know to do set to 0,23,33, the reason I ask is there are about 5 other drives with the same problem.
- cgrenier
- Site Admin
- Posts: 5432
- Joined: 18 Feb 2012, 15:08
- Location: Le Perreux Sur Marne, France
- Contact:
Re: We were hacked. All partitions gone
"0 32 33" with your disk geometry corresponds to 2048 sectors of 512 bytes or 1 MB, a common location for the first partition.
I also asked you to try PhotoRec. What are the results ?
I also asked you to try PhotoRec. What are the results ?
Re: We were hacked. All partitions gone
I should share some more information. These are .vmdk's on ESXi. There are .vmdks. The first one the hacker deleted filed within the partitions and I was able to get the data back. The second drive (.vmdk). no recovery program has been able to find any volumes/mfts. I exported the 40GB .vmdk and what was interesting when I ran it though some programs it thought it was 800GB and had three partition tables.
So we know the hacker damaged the partition tables. Is this repairable?
I have a backup of the volume and I wonder if I could get the partition table from that? Or is it specific to the datastore it's on.
So we know the hacker damaged the partition tables. Is this repairable?
I have a backup of the volume and I wonder if I could get the partition table from that? Or is it specific to the datastore it's on.