Main Area and Open Discussion > Living Room

Interesting Discovery Involving Rented Servers

(1/6) > >>

hollowlife1987:
OK Gothi[c] and I were having a little chat in the IRC chat about old data on servers and how to remove it.

So I decided to see if I could find any data from the dedicated server my friend just got, sure enough I found a lot of interesting and weird data....

Bottom line is if your going to cancel a server from a company make sure you wipe the hard drive(s) before you do as most companies just repartition and format the drive they don't wipe any data off it.

That means your passwords, your emails, pictures and what ever else that was on the server still could be accessible, on the flip side that means if someone before you had illegal data on the server and your server gets seized for what ever reason.

You COULD be held accountable for the data that THEY had on it.

So when you getting a new rented server make sure you wipe the drive before you lose access.
And when getting a new rented server make sure you/your host wipes the drive before you start putting your data on it.

Gothi[c]:
It's quite a disturbing discovery with some serious implications.

Hollow's server is a GNU/Linux server, and he was able to tell, just from looking at the raw harddrive data (which is a simple oneliner command on GNU/Linux: eg: strings /dev/sda), that the previous user ran windows on it. He was able to retrieve pieces of registry data, emails, and other data.

What this means:

* Say you decide to move hosts, or discontinue a server, the next person that gets your hard drive (hosting companies recycle a lot, of course), also gets all of your data, if you don't properly wipe your hard drive before discontinuing the server.

* When you get a new server, all the old data is still floating around on the hard drive, just invisible to your OS.
This means that if your server were ever subjected to an investigation by authorities for whatever reason, and the old owner had illegal material on it, they could easily think it's data you deleted.
Thus it is a good idea to not only wipe the hard drive when leaving a host, but also when getting a new server.

How to properly wipe data:

Obviously, if the data survives a reformat, it will also survive when you simply delete the files.

The only way to be certain the data is gone, is by actually overwriting the physical data on the disk with random data.

On GNU/Linux there is an utility called 'shred' which offers a secure way of removing files by overwriting the physical data multiple times with random data, unlike 'rm' which only removes the links to the physical data, so the file 'appears' gone.

Alternatively you can use dd to overwrite the entire harddrive like so:

--- ---dd if=/dev/urandom of=/dev/sda
(where sda = the harddrive to erase of course)

Perhaps someone can give some tips on what to use on windows servers to properly wipe data.
The problem on windows is that the OS typically stops working when it's erasing itself :) (which is not the case on *nix when you use a statically linked application that can run from memory, like dd).

I have always been aware that data is not removed after a reformat or after removing a file. Though I must admit I never connected the dots, thinking about the implications when it comes to server hosting.
I think this practical experiment hollow did, clearly illustrates that the dangers of not wiping data are real!
Thanks hollow!

hollowlife1987:
Yes the previous owner of the server did have windows on it, in fact it looked a lot like a desktop computer based on the pictures I started recovering with photorec which is part of the testdisk package.

Don't let the program name fool ya photorec can restore a lot more than photos it can restore a bunch of file formats including MSSQL databases.

Edvard:
Good advice, thanks.

This happens in the consumer world as well. Used disks from computer parts shops are notorious for having all kinds of stuff on them. One time I even accidentally booted up a full Win98 installation that was left on a 540 Meg drive that I hadn't formatted yet, and wondered where all the extra desktop icons came from before realizing what was going on...

Didn't know it happens in server-land. You'd think people would have half a clue...

Gothi[c]:
Didn't know it happens in server-land. You'd think people would have half a clue...

--- End quote ---

Most people assume the hosting company wipes the drive before reusing it. Obviously they don't. Most just do a simple format, which leaves all the data intact.

eg: mk2fs -j /dev/sda1 - which is what your typical GNU/Linux distro install cd runs to format the hd, does not null the hd. It only creates the inodes table to hold the links of files to the raw data. (like the file allocation table in fat16/32 or the master file table on ntfs)

Most people, including hosting companies, just figure that when they delete the partition, and reinstall another OS, all old data is gone.

Navigation

[0] Message Index

[#] Next page