* NAS RAID configuration overwritten by ransomware
@ 2024-06-30 18:16 MC
2024-07-01 8:58 ` Mariusz Tkaczyk
0 siblings, 1 reply; 2+ messages in thread
From: MC @ 2024-06-30 18:16 UTC (permalink / raw)
To: linux-raid
Hi everyone,
Is there a way to force mdadm to assemble a certain set of drives into
a particular RAID format? A friend of mine had a NAS that was hit with
ransomware. His setup was a RAID-5, 64kb chunk size, 4x4TB, XFS
filesystem setup, while during the attack, they overwrote the config
to be RAID-0/512kb chunk size (it is a Buffalo NAS, running Linux with
libmd). He pulled the plug while it was in the process of formatting
the XFS filesytem. Much of the data I have been able to recover, but
now it would be a lot nicer for me if I could access a raw /dev device
assembled as RAID-5/64kb chunk (rather than the current RAID-0
mdadm/mdstat currently shows), instead of using a tool like UFS
Explorer to assemble it properly for me. Obviously, minimal
(preferably none) writes to the disk if possible. I was afraid to
start throwing mdadm assemble and create commands around. Could
someone please advise on best path forward?
Thanks in advance,
Mike
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: NAS RAID configuration overwritten by ransomware
2024-06-30 18:16 NAS RAID configuration overwritten by ransomware MC
@ 2024-07-01 8:58 ` Mariusz Tkaczyk
0 siblings, 0 replies; 2+ messages in thread
From: Mariusz Tkaczyk @ 2024-07-01 8:58 UTC (permalink / raw)
To: MC; +Cc: linux-raid
On Sun, 30 Jun 2024 11:16:34 -0700
MC <darkhat@gmail.com> wrote:
> Hi everyone,
>
> Is there a way to force mdadm to assemble a certain set of drives into
> a particular RAID format? A friend of mine had a NAS that was hit with
> ransomware. His setup was a RAID-5, 64kb chunk size, 4x4TB, XFS
> filesystem setup, while during the attack, they overwrote the config
> to be RAID-0/512kb chunk size (it is a Buffalo NAS, running Linux with
> libmd). He pulled the plug while it was in the process of formatting
> the XFS filesytem. Much of the data I have been able to recover, but
> now it would be a lot nicer for me if I could access a raw /dev device
> assembled as RAID-5/64kb chunk (rather than the current RAID-0
> mdadm/mdstat currently shows), instead of using a tool like UFS
> Explorer to assemble it properly for me. Obviously, minimal
> (preferably none) writes to the disk if possible. I was afraid to
> start throwing mdadm assemble and create commands around. Could
> someone please advise on best path forward?
>
> Thanks in advance,
> Mike
>
Hello Mike,
there is a --build option for mdadm (run array with no metadata). Perhaps this
is option you are looking for:
#mdadm -Ss (stop all existing)
# mdadm --build /dev/md126 <here your raid5 params comes> --assume-clean
use --assume-clean to avoid reconstruction. so far I know, --readonly is not
supported. You can set /sys/block/md126/ro = 1 manually to prevent writes.
Thanks,
Mariusz
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-07-01 8:58 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-06-30 18:16 NAS RAID configuration overwritten by ransomware MC
2024-07-01 8:58 ` Mariusz Tkaczyk
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).