Laurent De Buyst

Yesterday, we got hit by a cryptoware infection. Since we had a lot of affected files, scattered throughout our filesystem AND we wanted to keep the non-affected files as they were, we couldn't really do a complete restore using rdiff-backup.

So we instead managed to delete all affected files and then ran an rsync tailored so it would only restore missing files. We used our rdiff-backup storage as source and this restored the file content perfectly, so thanks already for that.

However, all files are stored as nouser:nogroup by rdiff-backup, so we had to restore those separately. We quickly found the mirror-metadata files in the rdiff-backup repository which at first glance seemed to contain the information we needed.

However, a smallish number of files are listed in there as having Uname ':' or Gname ':', literally just a colon, and I have no clue whatsoever why or what it means...

I can sort of imagine it might mean 'look in another file' since I'm only looking at the latest metadata snapshot, but if anyone could help me out, I'd appreciate it

Laurent De Buyst
System administrator

