Skip to content

Recovering data from a compromised VM/en

Parent page: Cloud

You are responsible for recovering data from a virtual machine (VM) that has been compromised.

Note

This page provides an outline of the necessary steps for this situation, though it is not exhaustive.

What happens when we detect a compromised VM?

  1. Our support team confirms this by investigating network traffic logs and other sources.
  2. The VM is shut down and locked at the sysadmin level.
  3. You are notified by email.

Why do you need to rebuild?

  • You cannot start an administratively locked VM.
  • The contents of the VM are no longer trustworthy, but it is relatively safe to extract the data.
  • You have to build a new VM.

What steps should you take?

  1. Send an email to cloud@tech.alliancecan.ca outlining your recovery plan; if access to the filesystem is required, the cloud support team will unlock the volume.
  2. Log in to the OpenStack admin console.
  3. Launch a new instance that will be used for data rescue operations.
  4. Under Volumes, select Manage Attachments from the dropdown list at the far right for the volume that was compromised and click on the Detach Volume button.
  5. Under Volumes, select Manage Attachments for the volume that was compromised and select Attach To Instance (select the recovery instance you just launched).
  6. SSH into your recovery instance: you will now see your old, compromised volume available as the vdb disk.
  7. Mounting the appropriate filesystem from a partition or an LVM logical volume depends on how the base OS image was created. Because instructions vary greatly, contact someone with experience to continue.