We were hacked. All partitions gone

How to use TestDisk to recover lost partition
Post Reply
Message
Author
grundyv2
Posts: 5
Joined: 01 Oct 2017, 03:29

We were hacked. All partitions gone

#1 Post by grundyv2 » 01 Oct 2017, 03:32

We were hacked and they compromised a bunch of servers and workstations. If the server had a secondary drive, the drive is now 100% empty. 0 bytes used. We can't figure out what they did to the partition table/mft. Can you please look .



Sat Sep 30 22:18:45 2017
Command line: TestDisk

TestDisk 7.1-WIP, Data Recovery Utility, July 2017
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
OS: Windows Server 2008 R2 (7601) SP1
Compiler: GCC 5.4, Cygwin 2005.2
ext2fs lib: 1.43.1, ntfs lib: 10:0:0, reiserfs lib: none, ewf lib: 20140608, curses lib: ncurses 6.0
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(/dev/sda)=107373133824
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(/dev/sdb)=42946527232
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\PhysicalDrive0)=107373133824
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\PhysicalDrive1)=42946527232
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\C:)=107267227648
filewin32_getfilesize(\\.\D:) GetFileSize err Incorrect function.

filewin32_setfilepointer(\\.\D:) SetFilePointer err Incorrect function.

Warning: can't get size for \\.\D:
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\E:)=42946527232
Hard disk list
Disk /dev/sda - 107 GB / 99 GiB - CHS 13054 255 63, sector size=512 - VMware Virtual IDE Hard Drive, S/N:3030303030303030303030303030303030303130, FW:00000001
Disk /dev/sdb - 42 GB / 39 GiB - CHS 5221 255 63, sector size=512 - VMware Virtual IDE Hard Drive, S/N:3130303030303030303030303030303030303130, FW:00000001

Partition table type (auto): None
Disk /dev/sdb - 42 GB / 39 GiB - VMware Virtual IDE Hard Drive
Partition table type: Intel

Analyse Disk /dev/sdb - 42 GB / 39 GiB - CHS 5221 255 63
Geometry from i386 MBR: head=115 sector=52
BAD_RS LBA=1936269394 5382406
file_pread(5,1,buffer,1936269394(120527/49/53)) lseek err Invalid argument
check_part_i386 failed for partition type 07
BAD_RS LBA=1917848077 5967333
check_part_i386 2 type 73: no test
BAD_RS LBA=1818575915 5855017
check_part_i386 3 type 2B: no test
BAD_RS LBA=2844524554 5982593
check_part_i386 4 type 61: no test
Current partition structure:
Invalid NTFS or exFAT boot
1 * HPFS - NTFS 120527 49 53 234813 237 34 1836016416
1 * HPFS - NTFS 120527 49 53 234813 237 34 1836016416

Bad relative sector.
2 * Sys=73 119380 132 62 153270 41 37 544437093

Bad relative sector.
3 * Sys=2B 113201 29 24 147074 114 59 544175136

Bad relative sector.
4 * SpeedStor 177063 118 26 177066 225 63 54974

Bad relative sector.
Only one partition must be bootable
Space conflict between the following two partitions
3 * Sys=2B 113201 29 24 147074 114 59 544175136
2 * Sys=73 119380 132 62 153270 41 37 544437093
Space conflict between the following two partitions
2 * Sys=73 119380 132 62 153270 41 37 544437093
1 * HPFS - NTFS 120527 49 53 234813 237 34 1836016416
Space conflict between the following two partitions
1 * HPFS - NTFS 120527 49 53 234813 237 34 1836016416
4 * SpeedStor 177063 118 26 177066 225 63 54974

search_part()
Disk /dev/sdb - 42 GB / 39 GiB - CHS 5221 255 63
file_pread(5,2,buffer,83879935(5221/72/35)) ReadFile The drive cannot find the sector requested.

file_pread(5,1,buffer,83879936(5221/72/36)) ReadFile The drive cannot find the sector requested.

file_pread(5,1,buffer,83879937(5221/72/37)) lseek err Invalid argument
file_pread(5,14,buffer,83879938(5221/72/38)) lseek err Invalid argument
file_pread(5,3,buffer,83879952(5221/72/52)) lseek err Invalid argument
file_pread(5,3,buffer,83879999(5221/73/36)) lseek err Invalid argument
file_pread(5,8,buffer,83880015(5221/73/52)) lseek err Invalid argument
file_pread(5,11,buffer,83880062(5221/74/36)) lseek err Invalid argument
file_pread(5,2,buffer,83881984(5221/105/5)) lseek err Invalid argument

Results

interface_write()

No partition found or selected for recovery
simulate write!

write_mbr_i386: starting...
write_all_log_i386: starting...
No extended partition

Analyse Disk /dev/sdb - 42 GB / 39 GiB - CHS 5221 255 63
Geometry from i386 MBR: head=115 sector=52
BAD_RS LBA=1936269394 5382406
file_pread(5,1,buffer,1936269394(120527/49/53)) lseek err Invalid argument
check_part_i386 failed for partition type 07
BAD_RS LBA=1917848077 5967333
check_part_i386 2 type 73: no test
BAD_RS LBA=1818575915 5855017
check_part_i386 3 type 2B: no test
BAD_RS LBA=2844524554 5982593
check_part_i386 4 type 61: no test
Current partition structure:
Invalid NTFS or exFAT boot
1 * HPFS - NTFS 120527 49 53 234813 237 34 1836016416
1 * HPFS - NTFS 120527 49 53 234813 237 34 1836016416

Bad relative sector.
2 * Sys=73 119380 132 62 153270 41 37 544437093

Bad relative sector.
3 * Sys=2B 113201 29 24 147074 114 59 544175136

Bad relative sector.
4 * SpeedStor 177063 118 26 177066 225 63 54974

Bad relative sector.
Only one partition must be bootable
Space conflict between the following two partitions
3 * Sys=2B 113201 29 24 147074 114 59 544175136
2 * Sys=73 119380 132 62 153270 41 37 544437093
Space conflict between the following two partitions
2 * Sys=73 119380 132 62 153270 41 37 544437093
1 * HPFS - NTFS 120527 49 53 234813 237 34 1836016416
Space conflict between the following two partitions
1 * HPFS - NTFS 120527 49 53 234813 237 34 1836016416
4 * SpeedStor 177063 118 26 177066 225 63 54974

search_part()
Disk /dev/sdb - 42 GB / 39 GiB - CHS 5221 255 63
file_pread(5,2,buffer,83879935(5221/72/35)) ReadFile The drive cannot find the sector requested.

file_pread(5,1,buffer,83879936(5221/72/36)) ReadFile The drive cannot find the sector requested.

file_pread(5,1,buffer,83879937(5221/72/37)) lseek err Invalid argument
file_pread(5,14,buffer,83879938(5221/72/38)) lseek err Invalid argument
file_pread(5,3,buffer,83879952(5221/72/52)) lseek err Invalid argument
file_pread(5,3,buffer,83879999(5221/73/36)) lseek err Invalid argument
file_pread(5,8,buffer,83880015(5221/73/52)) lseek err Invalid argument
file_pread(5,11,buffer,83880062(5221/74/36)) lseek err Invalid argument
file_pread(5,2,buffer,83881984(5221/105/5)) lseek err Invalid argument

Results

interface_write()

No partition found or selected for recovery
simulate write!

write_mbr_i386: starting...
write_all_log_i386: starting...
No extended partition

Analyse Disk /dev/sdb - 42 GB / 39 GiB - CHS 5221 255 63
Geometry from i386 MBR: head=115 sector=52
BAD_RS LBA=1936269394 5382406
file_pread(5,1,buffer,1936269394(120527/49/53)) lseek err Invalid argument
check_part_i386 failed for partition type 07
BAD_RS LBA=1917848077 5967333
check_part_i386 2 type 73: no test
BAD_RS LBA=1818575915 5855017
check_part_i386 3 type 2B: no test
BAD_RS LBA=2844524554 5982593
check_part_i386 4 type 61: no test
Current partition structure:
Invalid NTFS or exFAT boot
1 * HPFS - NTFS 120527 49 53 234813 237 34 1836016416
1 * HPFS - NTFS 120527 49 53 234813 237 34 1836016416

Bad relative sector.
2 * Sys=73 119380 132 62 153270 41 37 544437093

Bad relative sector.
3 * Sys=2B 113201 29 24 147074 114 59 544175136

Bad relative sector.
4 * SpeedStor 177063 118 26 177066 225 63 54974

Bad relative sector.
Only one partition must be bootable
Space conflict between the following two partitions
3 * Sys=2B 113201 29 24 147074 114 59 544175136
2 * Sys=73 119380 132 62 153270 41 37 544437093
Space conflict between the following two partitions
2 * Sys=73 119380 132 62 153270 41 37 544437093
1 * HPFS - NTFS 120527 49 53 234813 237 34 1836016416
Space conflict between the following two partitions
1 * HPFS - NTFS 120527 49 53 234813 237 34 1836016416
4 * SpeedStor 177063 118 26 177066 225 63 54974

search_part()
Disk /dev/sdb - 42 GB / 39 GiB - CHS 5221 255 63
file_pread(5,2,buffer,83879935(5221/72/35)) ReadFile The drive cannot find the sector requested.

file_pread(5,1,buffer,83879936(5221/72/36)) ReadFile The drive cannot find the sector requested.

file_pread(5,1,buffer,83879937(5221/72/37)) lseek err Invalid argument
file_pread(5,14,buffer,83879938(5221/72/38)) lseek err Invalid argument
file_pread(5,3,buffer,83879952(5221/72/52)) lseek err Invalid argument
file_pread(5,3,buffer,83879999(5221/73/36)) lseek err Invalid argument
file_pread(5,8,buffer,83880015(5221/73/52)) lseek err Invalid argument
file_pread(5,11,buffer,83880062(5221/74/36)) lseek err Invalid argument
file_pread(5,2,buffer,83881984(5221/105/5)) lseek err Invalid argument

Results

interface_write()

No partition found or selected for recovery
simulate write!

write_mbr_i386: starting...
write_all_log_i386: starting...
No extended partition

Analyse Disk /dev/sdb - 42 GB / 39 GiB - CHS 5221 255 63
Geometry from i386 MBR: head=115 sector=52
BAD_RS LBA=1936269394 5382406
file_pread(5,1,buffer,1936269394(120527/49/53)) lseek err Invalid argument
check_part_i386 failed for partition type 07
BAD_RS LBA=1917848077 5967333
check_part_i386 2 type 73: no test
BAD_RS LBA=1818575915 5855017
check_part_i386 3 type 2B: no test
BAD_RS LBA=2844524554 5982593
check_part_i386 4 type 61: no test
Current partition structure:
Invalid NTFS or exFAT boot
1 * HPFS - NTFS 120527 49 53 234813 237 34 1836016416
1 * HPFS - NTFS 120527 49 53 234813 237 34 1836016416

Bad relative sector.
2 * Sys=73 119380 132 62 153270 41 37 544437093

Bad relative sector.
3 * Sys=2B 113201 29 24 147074 114 59 544175136

Bad relative sector.
4 * SpeedStor 177063 118 26 177066 225 63 54974

Bad relative sector.
Only one partition must be bootable
Space conflict between the following two partitions
3 * Sys=2B 113201 29 24 147074 114 59 544175136
2 * Sys=73 119380 132 62 153270 41 37 544437093
Space conflict between the following two partitions
2 * Sys=73 119380 132 62 153270 41 37 544437093
1 * HPFS - NTFS 120527 49 53 234813 237 34 1836016416
Space conflict between the following two partitions
1 * HPFS - NTFS 120527 49 53 234813 237 34 1836016416
4 * SpeedStor 177063 118 26 177066 225 63 54974

search_part()
Disk /dev/sdb - 42 GB / 39 GiB - CHS 5221 255 63
file_pread(5,2,buffer,83879935(5221/72/35)) ReadFile The drive cannot find the sector requested.

file_pread(5,1,buffer,83879936(5221/72/36)) ReadFile The drive cannot find the sector requested.

Search for partition aborted

Results

interface_write()

No partition found or selected for recovery
simulate write!

write_mbr_i386: starting...
write_all_log_i386: starting...
No extended partition

Analyse Disk /dev/sdb - 42 GB / 39 GiB - CHS 5221 255 63
Geometry from i386 MBR: head=115 sector=52
BAD_RS LBA=1936269394 5382406
file_pread(5,1,buffer,1936269394(120527/49/53)) lseek err Invalid argument
check_part_i386 failed for partition type 07
BAD_RS LBA=1917848077 5967333
check_part_i386 2 type 73: no test
BAD_RS LBA=1818575915 5855017
check_part_i386 3 type 2B: no test
BAD_RS LBA=2844524554 5982593
check_part_i386 4 type 61: no test
Current partition structure:
Invalid NTFS or exFAT boot
1 * HPFS - NTFS 120527 49 53 234813 237 34 1836016416
1 * HPFS - NTFS 120527 49 53 234813 237 34 1836016416

Bad relative sector.
2 * Sys=73 119380 132 62 153270 41 37 544437093

Bad relative sector.
3 * Sys=2B 113201 29 24 147074 114 59 544175136

Bad relative sector.
4 * SpeedStor 177063 118 26 177066 225 63 54974

Bad relative sector.
Only one partition must be bootable
Space conflict between the following two partitions
3 * Sys=2B 113201 29 24 147074 114 59 544175136
2 * Sys=73 119380 132 62 153270 41 37 544437093
Space conflict between the following two partitions
2 * Sys=73 119380 132 62 153270 41 37 544437093
1 * HPFS - NTFS 120527 49 53 234813 237 34 1836016416
Space conflict between the following two partitions
1 * HPFS - NTFS 120527 49 53 234813 237 34 1836016416
4 * SpeedStor 177063 118 26 177066 225 63 54974

Sponsored links

User avatar
cgrenier
Site Admin
Posts: 3691
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: We were hacked. All partitions gone

#2 Post by cgrenier » 01 Oct 2017, 07:31

Looks like the partition table and both NTFS boot sector and its backup have been overwritten/encrypted.
Run TestDisk, in the Advanced menu, use 'a' to manually add a partition starting at "0 32 33". Set the partition type to NTFS.
Choose Boot, RebuildBS, List. Do you see your files ?

If you run PhotoRec on whole disk, does it recover some files or only junk/random data ?

grundyv2
Posts: 5
Joined: 01 Oct 2017, 03:29

Re: We were hacked. All partitions gone

#3 Post by grundyv2 » 01 Oct 2017, 08:34

Hi!

Thank you for the reply. When I hit A for ADD there is
Cylinder, Head, Sector, etc. Is that what I say 0323

I'm not following.

grundyv2
Posts: 5
Joined: 01 Oct 2017, 03:29

Re: We were hacked. All partitions gone

#4 Post by grundyv2 » 01 Oct 2017, 08:35

It asks for:

Cylinder
Head
Sector
Cylinder
Head Sector
Type

User avatar
cgrenier
Site Admin
Posts: 3691
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: We were hacked. All partitions gone

#5 Post by cgrenier » 01 Oct 2017, 09:20

Set the starting cylinder to 0, head to 32 and sector to 33.
No need to modify the end location.

grundyv2
Posts: 5
Joined: 01 Oct 2017, 03:29

Re: We were hacked. All partitions gone

#6 Post by grundyv2 » 01 Oct 2017, 09:22

Ok. I set the type to 07. It's scanning for MFT. How did you know to do set to 0,23,33, the reason I ask is there are about 5 other drives with the same problem.

User avatar
cgrenier
Site Admin
Posts: 3691
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: We were hacked. All partitions gone

#7 Post by cgrenier » 01 Oct 2017, 12:46

"0 32 33" with your disk geometry corresponds to 2048 sectors of 512 bytes or 1 MB, a common location for the first partition.
I also asked you to try PhotoRec. What are the results ?

grundyv2
Posts: 5
Joined: 01 Oct 2017, 03:29

Re: We were hacked. All partitions gone

#8 Post by grundyv2 » 01 Oct 2017, 22:16

I should share some more information. These are .vmdk's on ESXi. There are .vmdks. The first one the hacker deleted filed within the partitions and I was able to get the data back. The second drive (.vmdk). no recovery program has been able to find any volumes/mfts. I exported the 40GB .vmdk and what was interesting when I ran it though some programs it thought it was 800GB and had three partition tables.

So we know the hacker damaged the partition tables. Is this repairable?

I have a backup of the volume and I wonder if I could get the partition table from that? Or is it specific to the datastore it's on.

Post Reply

Who is online

Users browsing this forum: No registered users and 0 guests