After a package update today /etc/group is defaulted

After a webmin package update today /etc/group is defaulted. Applied all available.

No account/sites are running (hard down), apparently because group info is gone. But all accounts and details are still listed in webmin/virtual min.

Can it be recovered?

SYSTEM INFORMATION

Operating system|CentOS Linux 7.9.2009|

| — | — | — | — |
|Webmin version|1.983|Usermin version|1.833|
|Virtualmin version|6.17|Authentic theme version|19.84.6|

What do you mean “defaulted”?

Anyway, it seems very unlikely an OS package update would have modified your /etc/group (though installing packages of services may add users and groups for the service, it wouldn’t remove existing groups). So, I tend to want to suggest you figure out what actually happened. Modification of users and groups can be a sign of a rooted system (attackers change users or groups to grant themselves root privileges under an innocent looking user).

Whether it can be recovered probably depends on whether you have backups. In addition to regular system and domain backups, I like to use etckeeper to keep a history of my config file changes, which acts as a backup for accidental changes or deletions (but not malicious deletions, or catastrophic disk failure).

Fair enough. It sees far fetched to me as well. It was completely functional, we applied patch updates through webmin, which rebooted it. It booted, but websotes were down and webmin was down, and ssh/putty was behaving like it was a new server. And we struggled to get back in as nothing was working. Now /etc/group is set as though it’s a fresh CentOS install. But no other sign of compromise. We have site backups, but no /etc backups.

Is it time to rebuild and restore the sites?

That isn’t something I’ve ever seen happen with a package update, I don’t think. What package(s) were updated? (We haven’t rolled any updates in quit a while, so I guess it was system packages.)

You can reconstruct the Virtualmin domain users (and any regular user) just by looking at ls -l /home and seeing the group ID of the users…it’ll show up as a number if the group doesn’t exist. Just add those groups with those IDs to the groups file.

If it also deleted system groups, like the groups used by services (i.e. apache and postfix/mail) and the like…, you may be in a bigger mess. You’d need to look at a similar system to get those values.

But, again, you may already be in a very big mess. Until you know why it happened, you really can’t trust the system. If you can’t figure out why it happened, you have to assume something nefarious. This doesn’t feel like an attack, if this is all that’s wrong, but it feels less like something a package update would do. So…unless you or someone else with administrative access (whether via ssh, Webmin/Virtualmin, Cockpit, or some other method) caused it accidentally, there aren’t any more likely scenarios (but I think this last one is the most likely based on the facts I have, but you have more facts than I do).

Check the yum or dnf log for what software was installed, if you don’t know. Then search the internet to see if anybody else has seen anything like what you’re seeing. Check with everybody else who has access to the system to see what they’ve done lately. Check the sudo log (I think that shows up in /var/log/secure maybe?) and the webmin actions log. Then, if you can’t find any explanation for why your system is like this, you’ll probably need to reinstall the OS and restore your data from backups in order to ever have absolute confidence it is not compromised. You can never know for sure a system isn’t compromised, you can only weigh up the evidence. Having users/groups or important system commands (like ps and login commands) messed with is evidence of something unusual.

Thanks, that’s very helpful. Just discovered that Sentinel One jumped on the update and hoseed up everything, quarantining the attached files. Working in a revert, but your advice in invaluable

Of course we need to get S1 to understand Webmin if you have any guidance that would also be appreciated.

Quarantined .zip (1.3 KB)

Package updates have nothing to do with Webmin. Webmin shows you available packages…it uses the native package manage to install them. If you have software running on your system that destroys the system when you try to run system package updates, the problem is that software.

No argument. We’re just trying to understand. I think we do now.

Don’t know if this 100 pro is but next time before reboot and after update’s check this out

How to check if CentOS / RHEL needs a full reboot - nixCraft (cyberciti.biz)

It could help understanding which parts need reboot and therefore if problem point you in the right direction.

Thanks, we’ll look into it.

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.