I had a server, 2 mirror hard drives ( software raid) CentOS5.
Some one access to my server and delete many files on server.
I tested the hard by testdisk but it just find the folders and not it's content.
I just has shell access to server.
What's the best recovery tools that offer command line recovery?
Can I un-raid the hard drivess and try recovery on one of them? is this a good idea?
Best Answer
You should do two things:
Since your server was compromised, you should take it offline immediately and audit how this happened. Once you know this, proceed to step 2.
Restore from a known good backup, and while still offline, fix whatever vulnerability led to your initial compromise. RAID is not a backup, and shouldn't be treated as such. Recovering files with some file-recovery methods is possible, but restoring from backup (especially in light of the fact that you were compromised) is really the only reliable option.