Big ".pag" file in .usermin/Maibox

SYSTEM INFORMATION
OS type and version Debian Linux 12
Webmin version 2.202
Usermin version 2.102

Hy,
I have found a big “.pag” file in the “/home/DomOwner/.usermin/Mailbox” folder of a domain owner.
I don’t know what it’s used for nor what process or user action generates/updates it…

-rw------- 1 DomOwner DomOwner 13921280 Oct 16 12:00 home_DomOwner_Maildir.byid.findex.pag

This file is much bigger (~ 14 MIB) than DomOwner’s mailbox (78.3 KiB).
The total size of maiboxes of users declared in the domain (excluding sub-domains) is ~ 65 MiB.

Can I delete this big “byid.index.pag” ?

Thanks for help.

Bleck

Here is the content of the Mailbox directory :
drwx------ 2 DomOwner DomOwner 4096 Oct 29 19:02 .
drwx------ 7 DomOwner DomOwner 4096 May 17 2016 …
-rw------- 1 DomOwner DomOwner 0 Oct 29 18:56 1.byid.index.dir
-rw------- 1 DomOwner DomOwner 1024 Oct 29 18:57 1.byid.index.pag
-rwx------ 1 DomOwner DomOwner 612 Oct 29 18:57 1.virt
-rw------- 1 DomOwner DomOwner 4096 Oct 29 18:37 attach.dir
-rw------- 1 DomOwner DomOwner 1026048 Oct 29 18:57 attach.pag
-rw-r–r-- 1 DomOwner DomOwner 104 Oct 16 11:59 config
-rw------- 1 DomOwner DomOwner 4096 Oct 29 18:52 delreplies.dir
-rw------- 1 DomOwner DomOwner 2078720 Oct 29 18:57 delreplies.pag
-rw------- 1 DomOwner DomOwner 4096 Oct 16 11:58 dsnreplies.dir
-rw------- 1 DomOwner DomOwner 1026048 Oct 29 18:57 dsnreplies.pag
-rw------- 1 DomOwner DomOwner 4096 Oct 16 11:54 _home_DomOwner_Maildir.byid.findex.dir
-rw------- 1 DomOwner DomOwner 13921280 Oct 16 12:00 _home_DomOwner_Maildir.byid.findex.pag
-rwx------ 1 DomOwner DomOwner 42 Oct 29 12:23 inbox.imap
-rwxr-x— 1 DomOwner DomOwner 6 Oct 29 18:37 lastfolder
-rw------- 1 DomOwner DomOwner 0 Aug 21 2011 read.dir
-rw------- 1 DomOwner DomOwner 1024 Sep 14 14:22 read.pag

I have made a backup of the file and deleted it. I will see what happens :crossed_fingers:
It’s a very frustrating way to maintain a server…
Can someone tell me where are these “.pag” and “.dir” files documented ?

I would be more concrned about where they are coming from.

As they are in a mailbox I would guess they are coming in through mail.

(or quite possibly mail being sent via/through a website)

Thank you Stegan,

Some of theses files are updated when the mailbox is accessed through Usermin and the search functionality is used . This way, I could update : dnsreplies.pag, delreplies.pag, 1.virt, 1.byid.index.pag, attach.pag and lastforder.

All other files where were left untouched, including the big “_home_DomOwner_Maildir.byid.findex.pag” file :worried:

Concerning mail content, these files appear in the “mailbox” sub-directory of the user’s “.usermin” directory. It seems to be consistent with the fact that some files are modified when the mailbox is accessed through usermin and are untouched when accessed though imap. The mailbox content is stored somewhere else, in the /home/DomOwner/Mailbox directory, I guess.

I would still be more concerned about where they are coming from.

As I am not seeing them produced (and I am assuming no one else is either) I don’t believe this is a product of Virtualmin/Usermin.

I think you need to resolve where these are originating from and why.

Is it one specific domain? if so what is running on that domain? (what app)

Thanks for your repeated warnings. Really :pray:

Similar files are present in another domain (not sub-domain) .usermin/mailbox directory :

drwx------ 2 owner2 owner2 4096 2024-10-24 16:46 .
drwx------ 7 owner2 owner2 4096 2024-09-14 15:25 ..
-rw------- 1 owner2 owner2    0 2024-09-14 15:25 attach.dir
-rw------- 1 owner2 owner2 1024 2024-09-14 15:25 attach.pag
-rw------- 1 owner2 owner2    0 2024-09-14 15:25 delreplies.dir
-rw------- 1 owner2 owner2 1024 2024-09-14 15:25 delreplies.pag
-rw------- 1 owner2 owner2    0 2024-09-14 15:25 dsnreplies.dir
-rw------- 1 owner2 owner2 1024 2024-09-14 15:25 dsnreplies.pag
-rw-r--r-- 1 owner2 owner2   38 2024-10-24 16:46 inbox.imap
-rw-r--r-- 1 owner2 owner2    5 2024-09-14 15:25 lastfolder

After connecting to Virtualmin as root and navigating to domain > users > onwner2 > Login to Usermin, I got a error message :

I suppose the error message and the login prompt are legitimate since root is not supposed to be able to read user’s mail (not this way). Am I right ?

Or course, I couldn’t give the password but some existing files were updated :

-rw------- 1 owner2 owner2 1024 2024-11-08 16:39 delreplies.pag
-rw------- 1 owner2 owner2 1024 2024-11-08 16:39 dsnreplies.pag
-rw------- 1 owner2 owner2 1024 2024-11-08 16:39 attach.pag
-rw-r--r-- 1 owner2 owner2    6 2024-11-08 16:39 lastfolder

What is running on the domains and sub-domains onwned by “owner2” and “DomOwner” ?
Both domains run PHP Web widespread applications and manage mail for their users. Users access mail using IMAP or POP but don’t use Usermin interface.

It wasn’t clear to me why no one answered me. I understand that the reason is that these files do not exist in any clean running installation of Webmin/Virtualmin/Usermin. Really ? :worried:

I guess it’s hard to accept but I may have to assume that this server has been compromised.
In this case, it would be pretty serious since the code that generates/updates files such as " 1.byid.index.pag" is triggered through the Usermin interface :cold_sweat:

OK. for me that just about confirms that it is not a bug in Usermin.

Not yet! - just because some thing rogue is getting in through an email does not mean it has broken everything.

I’d concentrate on stopping/limiting those apps/users (temporarily) to determine if they are at fault. Are they using a specific mail program - well maintained. can you catch them using logging? why is the app generating these files what is/was their purpose. is it some alien plugin to the app?

does the app have a community support page?

1 Like