Virtual site info gone, Restore from backup failed

Submitted by sfosseen on Fri, 04/30/2010 - 15:28

Ubuntu Linux 8.04.2 Virtualmin 3.77 Pro

Last Sunday AM I discovered all the files in the virtual site /home/mysite were missing. with the exception of two folders, (Stat Folder I think). Also the "Owner" name was not the name but a number.

It was a critical site so I restored the site from the latest backup. The site came back, but the majority of the files were from last August. The backup file had a current date, and there were system files showing the current date as well in the backup archive. There were no indications that there were issues with a backup.

At 10pm the previous night I did restore a backup from a different server on to the server I had this issue with to confirm the backup from the other server was valid. Once I was able to verify the restored virtual server worked I deleted it (Not the /mysite Virtural Server). Could this have caused the user and files to be deleted from the /mysite virtual server?

A few months previous I had issues with /mysite with invalid administrators. I had moved the server several times and the administrator was corrupted.

Also what would cause the built in Backup program continue to generate backup files with old file information?

Thanks.

Status: 
Closed (fixed)

Comments

Submitted by JamieCameron on Fri, 04/30/2010 - 15:51

Are you sure you are restoring the latest backup file? If you restore it on a different system, are the files still missing?

Also, are you perhaps using incremental backups?

Submitted by sfosseen on Wed, 05/05/2010 - 22:31

I only had one backup file for each virtual server, so every night the backup was overwritten.

I did a restore on a new VirtualMin GPL server, with the same results.

I was running full backups. I suspect that I would not be able to restore a incremental backup file without first restoring the original full backup.

It looks like the files in the ..backup\ and the .\logs\ directory was current, or at least the file had recient date/time stamps. Looking at the two mySQL dumps the backup file had the current date/time, and the end of the file also had the current date listed. When the backup completed at 4am there was still data in both the mySQL databases and the virtual server home folder, but other than the two folders I listed above no file was dated later than 8/18/2009. This also includes mySQL records, My wordpress and Moodle when restored don't show errors, but only show records before the 8/18/2009 date. At 1pm when I looked at the server there were no files in the virtual server home directory, with the exception of the ..backup\ and .\logs\ folder. And those files listed the proper group, but the owner was a number.

I don't have enough data points to confirm, but it almost looks like some sort of file purge by date was ran, that also purged DB records by date? Is this possible?

Submitted by JamieCameron on Thu, 05/06/2010 - 02:03

There's no way the Virtualmin backup process could purge records from the DB by date ..

I wonder if perhaps something else was deleting files at or before the time the backups were made?

Submitted by sfosseen on Mon, 05/10/2010 - 14:55

I am suspecting that was the case now. In my haste to bring the site up ASAP I did not save any of the virtual server logs before I restored the virtual server with the last backup. What I remember was that in the Apache logs there were web crawlers accessing the virtual server successfully until 6:40am So what I have is sometime between 3:55am - 4:10am the backup ran and somehow all files/db records were purged after 8/18/2009, with the exception of the /.backup and /log directories. Then around 6:40am all the remaining files were purged.

Could this type of purge be done from a site exploit, or are there any functions within Virtualmin that would purge files by date. I am assuming it was a purge by date as when I restored the backup the latest file date was 8/18/2009, and the data in the mySQL table for a Wordpress Blog only listed records before 8/18/2009 as well.

Submitted by JamieCameron on Tue, 05/11/2010 - 00:23

I support some kind of exploit could have done this.

There is nothing in Virtualmin that deletes old files, except for the option when creating a scheduled backup to delete backups older than some date.