On Feb 18, 2002 22:41 +0100, NovaLand wrote: > Recently I've encountered a problem, and now I would preciate any help > about being able to undelete files. > > My /var filestructured is mounted at /dev/hdc1 > Part of my /etc/mtab looks like this: > /dev/hdc1 /var ext3 rw 0 0 To start with, you should leave e2fsck checking enabled for your ext3 filesystems. If there is ever a filesystem error, the in-kernel recovery code cannot repair it, unlike e2fsck. If the periodic e2fsck forced checks bother you, change them with tune2fs (-c and -i options) to something you can live with. As people have seen in the past, disks, kernels, memory are not perfect, so you should still check your filesystems every 6 months or so. > So, could anyone give me a hint of how things could be done to find > deleted inodes? The way that ext3 deletes them makes it impossible to do this, unlike ext2. It is a problem that the ext2 developers are aware of, but it isn't necessarily easily fixed. > I know.. backup is everything, but the reason I'd like to do this is > that I know that last saturday at 9:35 am, the logs were most likley > altered to cover up after a system break-in. The original logs could > have been copied before this and therefor finding out deleted inodes > could be of a great importance. Well, if this is the case, then having the old logs will probably not help you. I would reinstall the system from scratch, and restore your data from backup. If you don't want to do that, at least reinstall your OS from scratch, replace your binaries, and audit any startup scripts, server config scripts, etc for new holes. Cheers, Andreas -- Andreas Dilger http://sourceforge.net/projects/ext2resize/ http://www-mddsp.enel.ucalgary.ca/People/adilger/
